From d057e9dae15ab7bb343a3da4f82bcac644cf7e78 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 26 Mar 2025 14:44:35 +0100 Subject: [PATCH 001/153] configuration added --- .../openbao-alloy-configmap.yaml | 29 +++++++++++++++++++ .../sidecar-container-alloy-configmap.yaml | 25 ++++++++++++++++ .../ref-implementation/openbao/values.yaml | 24 +++++++++++++++ 3 files changed, 78 insertions(+) create mode 100644 template/stacks/ref-implementation/openbao-alloy-configmap.yaml create mode 100644 template/stacks/ref-implementation/openbao-logging/sidecar-container-alloy-configmap.yaml diff --git a/template/stacks/ref-implementation/openbao-alloy-configmap.yaml b/template/stacks/ref-implementation/openbao-alloy-configmap.yaml new file mode 100644 index 0000000..d6f9bc6 --- /dev/null +++ b/template/stacks/ref-implementation/openbao-alloy-configmap.yaml @@ -0,0 +1,29 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: openbao-logging-setup + namespace: argocd + labels: + env: dev + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder + targetRevision: HEAD + path: "stacks/ref-implementation/openbao-logging" + destination: + server: "https://kubernetes.default.svc" + namespace: openbao + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + selfHeal: true + retry: + limit: -1 + backoff: + duration: 15s + factor: 1 + maxDuration: 15s diff --git a/template/stacks/ref-implementation/openbao-logging/sidecar-container-alloy-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/sidecar-container-alloy-configmap.yaml new file mode 100644 index 0000000..b0129a6 --- /dev/null +++ b/template/stacks/ref-implementation/openbao-logging/sidecar-container-alloy-configmap.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: sidecar-container-alloy-config +data: + config.alloy: | + logging { + level = "info" + format = "logfmt" + } + loki.write "local_loki" { + endpoint { + url = "http://loki-loki-distributed-gateway.monitoring.svc.cluster.local/loki/api/v1/push" + } + } + + local.file_match "applogs" { + path_targets = [{"__path__" = "/openbao/logs/*"}] + sync_period = "5s" + } + + loki.source.file "openbao_logs" { + targets = local.file_match.applogs.targets + forward_to = [loki.write.local_loki.receiver] + } \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 0ff72cf..e984864 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -1,9 +1,32 @@ server: + extraContainers: + - name: grafana-alloy + image: grafana/alloy:latest + ports: + - containerPort: 12345 + securityContext: + runAsUser: 100 + volumeMounts: + - name: log-storage + mountPath: /openbao/logs + - name: alloy-data + mountPath: /var/lib/alloy + - name: config-volume + mountPath: /etc/alloy + volumes: + - name: log-storage + emptyDir: {} + - name: alloy-data + emptyDir: {} + - name: config-volume + configMap: + name: sidecar-container-alloy-config postStart: - sh - -c - | sleep 10 + rm -rf /openbao/data/* # UN-initialises the openbao server (necessary for the new instance to spin up if the pod or container crashes) bao operator init >> /tmp/init.txt cat /tmp/init.txt | grep "Key " | awk '{print $NF}' | xargs -I{} bao operator unseal {} echo $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/initial_token.txt @@ -13,5 +36,6 @@ server: echo $(grep "Unseal Key 4:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key4.txt echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt rm /tmp/init.txt + bao audit enable file file_path=/var/log/openbao.log # enables the audit ui: enabled: true From a9ad7c1c5c00c77c75c8f61979bc3f563d838a59 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 26 Mar 2025 15:24:19 +0100 Subject: [PATCH 002/153] comments deleted --- template/stacks/ref-implementation/openbao/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index e984864..35eb57f 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -26,7 +26,7 @@ server: - -c - | sleep 10 - rm -rf /openbao/data/* # UN-initialises the openbao server (necessary for the new instance to spin up if the pod or container crashes) + rm -rf /openbao/data/* bao operator init >> /tmp/init.txt cat /tmp/init.txt | grep "Key " | awk '{print $NF}' | xargs -I{} bao operator unseal {} echo $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/initial_token.txt @@ -36,6 +36,6 @@ server: echo $(grep "Unseal Key 4:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key4.txt echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt rm /tmp/init.txt - bao audit enable file file_path=/var/log/openbao.log # enables the audit + bao audit enable file file_path=/var/log/openbao.log ui: enabled: true From bd89c91d524d2a8ec87ed53f56fe6b51fa71a65f Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 26 Mar 2025 15:31:49 +0100 Subject: [PATCH 003/153] forgot to add login --- template/stacks/ref-implementation/openbao/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 35eb57f..9451314 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -35,6 +35,7 @@ server: echo $(grep "Unseal Key 3:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key3.txt echo $(grep "Unseal Key 4:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key4.txt echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt + bao login $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}') rm /tmp/init.txt bao audit enable file file_path=/var/log/openbao.log ui: From aaaf905edc873218b3af3e6ab9844f5fa75646df Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 26 Mar 2025 15:40:05 +0100 Subject: [PATCH 004/153] # rm -rf /openbao/data/* --- template/stacks/ref-implementation/openbao/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 9451314..70cde19 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -26,7 +26,7 @@ server: - -c - | sleep 10 - rm -rf /openbao/data/* + # rm -rf /openbao/data/* bao operator init >> /tmp/init.txt cat /tmp/init.txt | grep "Key " | awk '{print $NF}' | xargs -I{} bao operator unseal {} echo $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/initial_token.txt @@ -37,6 +37,6 @@ server: echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt bao login $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}') rm /tmp/init.txt - bao audit enable file file_path=/var/log/openbao.log + bao audit enable -path="file" file file_path=/var/log/openbao.log ui: enabled: true From 450b5ff1a8b94280c652a2bfe5b4d8aa827da8a1 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 26 Mar 2025 15:42:15 +0100 Subject: [PATCH 005/153] # removed --- template/stacks/ref-implementation/openbao/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 70cde19..fdedb44 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -26,7 +26,7 @@ server: - -c - | sleep 10 - # rm -rf /openbao/data/* + rm -rf /openbao/data/* bao operator init >> /tmp/init.txt cat /tmp/init.txt | grep "Key " | awk '{print $NF}' | xargs -I{} bao operator unseal {} echo $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/initial_token.txt From 1cb714aabb20296c1124ed1cb75863d32dc2704b Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 26 Mar 2025 15:51:24 +0100 Subject: [PATCH 006/153] volumeMounts: - mountPath: /var/log name: log-storage readOnly: false --- template/stacks/ref-implementation/openbao/values.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index fdedb44..5096f09 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -21,6 +21,12 @@ server: - name: config-volume configMap: name: sidecar-container-alloy-config + + volumeMounts: + - mountPath: /var/log + name: log-storage + readOnly: false + postStart: - sh - -c From 6a5be1257cafd11d9cf899381dbb49d473db67c3 Mon Sep 17 00:00:00 2001 From: miwr Date: Thu, 27 Mar 2025 13:19:45 +0100 Subject: [PATCH 007/153] bao audit enable file file_path=stdout --- template/stacks/ref-implementation/openbao/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 5096f09..88179e0 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -43,6 +43,7 @@ server: echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt bao login $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}') rm /tmp/init.txt + bao audit enable file file_path=stdout bao audit enable -path="file" file file_path=/var/log/openbao.log ui: enabled: true From c79114f4633cb70f14690cdd39f3e724e2e353ff Mon Sep 17 00:00:00 2001 From: miwr Date: Thu, 27 Mar 2025 13:43:26 +0100 Subject: [PATCH 008/153] # bao audit enable file file_path=stdout --- template/stacks/ref-implementation/openbao/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 88179e0..4c53da3 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -43,7 +43,7 @@ server: echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt bao login $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}') rm /tmp/init.txt - bao audit enable file file_path=stdout + # bao audit enable file file_path=stdout bao audit enable -path="file" file file_path=/var/log/openbao.log ui: enabled: true From 6acd284b83908526b651d539fef9b890e24983f2 Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 10:03:59 +0200 Subject: [PATCH 009/153] - name: logrotate image: alpine:latest command: ["/bin/sh", "-c", "while true; do /usr/sbin/logrotate /etc/logrotate.conf; sleep 60; done"] securityContext: runAsUser: 100 volumeMounts: - name: host-log-storage mountPath: /openbao/logs - name: logrotate-config mountPath: /etc/logrotate.conf subPath: logrotate.conf --- .../ref-implementation/openbao/values.yaml | 27 ++++++++++++++----- 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 4c53da3..becbe06 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -6,13 +6,24 @@ server: - containerPort: 12345 securityContext: runAsUser: 100 - volumeMounts: - - name: log-storage - mountPath: /openbao/logs + volumeMounts: - name: alloy-data mountPath: /var/lib/alloy - name: config-volume mountPath: /etc/alloy + - name: host-log-storage + mountPath: /openbao/logs + - name: logrotate + image: alpine:latest + command: ["/bin/sh", "-c", "while true; do /usr/sbin/logrotate /etc/logrotate.conf; sleep 60; done"] + securityContext: + runAsUser: 100 + volumeMounts: + - name: host-log-storage + mountPath: /openbao/logs + - name: logrotate-config + mountPath: /etc/logrotate.conf + subPath: logrotate.conf volumes: - name: log-storage emptyDir: {} @@ -20,11 +31,15 @@ server: emptyDir: {} - name: config-volume configMap: - name: sidecar-container-alloy-config + name: sidecar-container-alloy-config + - name: host-log-storage + hostPath: + path: /var/log + type: Directory volumeMounts: - - mountPath: /var/log - name: log-storage + - mountPath: /openbao/logs + name: host-log-storage readOnly: false postStart: From 3853370a8c8f2af75d3f55496ee4b7aeb2289056 Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 10:10:59 +0200 Subject: [PATCH 010/153] # - name: logrotate-config # mountPath: /etc/logrotate.conf # subPath: logrotate.conf --- template/stacks/ref-implementation/openbao/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index becbe06..772a535 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -21,9 +21,9 @@ server: volumeMounts: - name: host-log-storage mountPath: /openbao/logs - - name: logrotate-config - mountPath: /etc/logrotate.conf - subPath: logrotate.conf + # - name: logrotate-config + # mountPath: /etc/logrotate.conf + # subPath: logrotate.conf volumes: - name: log-storage emptyDir: {} From 881b65fcecf338537dbb404d36c19f00f2b124a9 Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 10:19:39 +0200 Subject: [PATCH 011/153] apiVersion: apps/v1 kind: DaemonSet metadata: name: openbao-logging-dir namespace: openbao spec: selector: matchLabels: app: openbao-logging-dir template: metadata: labels: app: openbao-logging-dir spec: initContainers: - name: creator image: busybox command: ["/bin/sh", "-c"] args: - | set -e mkdir -p /var/log/openbao chown 100:100 /var/log/openbao securityContext: runAsUser: 0 volumeMounts: - name: host-log mountPath: /var/log containers: - name: running-container image: busybox command: ["sleep", "infinity"] volumes: - name: host-log hostPath: path: /var/log type: Directory --- .../open-bao-logging-setup.yaml | 29 +++++++++++++++ .../create-logging-directory.yaml | 37 +++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 template/stacks/ref-implementation/open-bao-logging-setup.yaml create mode 100644 template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml diff --git a/template/stacks/ref-implementation/open-bao-logging-setup.yaml b/template/stacks/ref-implementation/open-bao-logging-setup.yaml new file mode 100644 index 0000000..5c26dc7 --- /dev/null +++ b/template/stacks/ref-implementation/open-bao-logging-setup.yaml @@ -0,0 +1,29 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: openbao-logging-setup + namespace: argocd + labels: + env: dev + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder + targetRevision: HEAD + path: "stacks/ref-implementation/openbao-logging" + destination: + server: "https://kubernetes.default.svc" + namespace: openbao + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + selfHeal: true + retry: + limit: -1 + backoff: + duration: 15s + factor: 1 + maxDuration: 15s \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml new file mode 100644 index 0000000..b46e3c0 --- /dev/null +++ b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml @@ -0,0 +1,37 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: openbao-logging-dir + namespace: openbao +spec: + selector: + matchLabels: + app: openbao-logging-dir + template: + metadata: + labels: + app: openbao-logging-dir + spec: + initContainers: + - name: creator + image: busybox + command: ["/bin/sh", "-c"] + args: + - | + set -e + mkdir -p /var/log/openbao + chown 100:100 /var/log/openbao + securityContext: + runAsUser: 0 + volumeMounts: + - name: host-log + mountPath: /var/log + containers: + - name: running-container + image: busybox + command: ["sleep", "infinity"] + volumes: + - name: host-log + hostPath: + path: /var/log + type: Directory \ No newline at end of file From 08471dee479081187e4f9afe6425058b0f80fa30 Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 10:25:48 +0200 Subject: [PATCH 012/153] bao audit enable -path="file" file file_path=/var/log/openbao/openbao.log --- template/stacks/ref-implementation/openbao/values.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 772a535..1bcfd39 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -1,5 +1,6 @@ server: - extraContainers: + shareProcessNamespace: true + extraContainers: - name: grafana-alloy image: grafana/alloy:latest ports: @@ -59,6 +60,6 @@ server: bao login $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}') rm /tmp/init.txt # bao audit enable file file_path=stdout - bao audit enable -path="file" file file_path=/var/log/openbao.log + bao audit enable -path="file" file file_path=/var/log/openbao/openbao.log ui: enabled: true From 06303ef35565ede99ce8de6cc4b19ed18bf3ecc1 Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 10:30:15 +0200 Subject: [PATCH 013/153] bao audit enable -path="file" file file_path=/openbao/logs/openbao/openbao.log --- template/stacks/ref-implementation/openbao/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 1bcfd39..ca66789 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -60,6 +60,6 @@ server: bao login $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}') rm /tmp/init.txt # bao audit enable file file_path=stdout - bao audit enable -path="file" file file_path=/var/log/openbao/openbao.log + bao audit enable -path="file" file file_path=/openbao/logs/openbao/openbao.log ui: enabled: true From 30f0c6f2188c0d49d6a34d2545bf62fb6409e808 Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 10:54:23 +0200 Subject: [PATCH 014/153] debian:stable-slim --- .../openbao-logging/logrotate-configmap.yaml | 14 ++++++++++++++ .../stacks/ref-implementation/openbao/values.yaml | 5 ++++- 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml new file mode 100644 index 0000000..44712ee --- /dev/null +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: logrotate-config +data: + logrotate.conf: | + /openbao/logs/*.log { + daily + rotate 7 + compress + missingok + notifempty + copytruncate + } \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index ca66789..75edd47 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -15,7 +15,7 @@ server: - name: host-log-storage mountPath: /openbao/logs - name: logrotate - image: alpine:latest + image: debian:stable-slim command: ["/bin/sh", "-c", "while true; do /usr/sbin/logrotate /etc/logrotate.conf; sleep 60; done"] securityContext: runAsUser: 100 @@ -33,6 +33,9 @@ server: - name: config-volume configMap: name: sidecar-container-alloy-config + - name: config-logrotate + configMap: + name: logrotate-config - name: host-log-storage hostPath: path: /var/log From 398c94fbc8ef98c54576457f9c2fefae19d8734f Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 11:02:11 +0200 Subject: [PATCH 015/153] alpine:latest --- template/stacks/ref-implementation/openbao/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 75edd47..c13da71 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -15,7 +15,7 @@ server: - name: host-log-storage mountPath: /openbao/logs - name: logrotate - image: debian:stable-slim + image: alpine:latest command: ["/bin/sh", "-c", "while true; do /usr/sbin/logrotate /etc/logrotate.conf; sleep 60; done"] securityContext: runAsUser: 100 From a35aefc376157c0bc98e6f8a85594296927427f4 Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 11:07:40 +0200 Subject: [PATCH 016/153] image: debian:stable-slim --- template/stacks/ref-implementation/openbao/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index c13da71..75edd47 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -15,7 +15,7 @@ server: - name: host-log-storage mountPath: /openbao/logs - name: logrotate - image: alpine:latest + image: debian:stable-slim command: ["/bin/sh", "-c", "while true; do /usr/sbin/logrotate /etc/logrotate.conf; sleep 60; done"] securityContext: runAsUser: 100 From 17f578dde2fc020aafcd69760cf8f2f21eaf3e88 Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 11:20:56 +0200 Subject: [PATCH 017/153] blacklabelops/logrotate --- .../openbao-logging/logrotate-configmap.yaml | 17 ++++++++++------- .../ref-implementation/openbao/values.yaml | 4 ++-- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml index 44712ee..7cab8de 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml @@ -4,11 +4,14 @@ metadata: name: logrotate-config data: logrotate.conf: | - /openbao/logs/*.log { - daily - rotate 7 - compress - missingok - notifempty - copytruncate + /openbao/logs/openbao/*.log { + size 5k + rotate 7 + compress + missingok + notifempty + postrotate + mkdir pupa + kill -SIGHUP $(pidof bao) + endscript } \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 75edd47..48ed7fe 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -15,8 +15,8 @@ server: - name: host-log-storage mountPath: /openbao/logs - name: logrotate - image: debian:stable-slim - command: ["/bin/sh", "-c", "while true; do /usr/sbin/logrotate /etc/logrotate.conf; sleep 60; done"] + image: blacklabelops/logrotate:latest # MIT-License + # command: ["/bin/sh", "-c", "while true; do /usr/sbin/logrotate /etc/logrotate.conf; sleep 60; done"] securityContext: runAsUser: 100 volumeMounts: From 0485a8fb765be32c9e9886e56a56f0153b1885b5 Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 11:42:14 +0200 Subject: [PATCH 018/153] image: skymatic/logrotate:latest --- template/stacks/ref-implementation/openbao/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 48ed7fe..4e145da 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -15,7 +15,7 @@ server: - name: host-log-storage mountPath: /openbao/logs - name: logrotate - image: blacklabelops/logrotate:latest # MIT-License + image: skymatic/logrotate:latest # MIT License # command: ["/bin/sh", "-c", "while true; do /usr/sbin/logrotate /etc/logrotate.conf; sleep 60; done"] securityContext: runAsUser: 100 From 5e47caaee135e2efc8f77780c2fe96c3fdf30aaa Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 11:54:31 +0200 Subject: [PATCH 019/153] - name: logrotate image: imroc/logrotate:latest env: - name: LOGROTATE_FILE_PATTERN value: "/var/log/nginx/nginx_*.log" - name: LOGROTATE_FILESIZE value: "20M" - name: LOGROTATE_FILENUM value: "10" - name: CRON_EXPR value: "*/1 * * * *" - name: CROND_LOGLEVEL value: "7" --- .../stacks/ref-implementation/openbao/values.yaml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 4e145da..08b87dd 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -15,7 +15,18 @@ server: - name: host-log-storage mountPath: /openbao/logs - name: logrotate - image: skymatic/logrotate:latest # MIT License + image: imroc/logrotate:latest + env: + - name: LOGROTATE_FILE_PATTERN + value: "/var/log/nginx/nginx_*.log" + - name: LOGROTATE_FILESIZE + value: "20M" + - name: LOGROTATE_FILENUM + value: "10" + - name: CRON_EXPR + value: "*/1 * * * *" + - name: CROND_LOGLEVEL + value: "7" # command: ["/bin/sh", "-c", "while true; do /usr/sbin/logrotate /etc/logrotate.conf; sleep 60; done"] securityContext: runAsUser: 100 From 508ecd3f1217b4b0456a3cf71f8fc567aec2e9c5 Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 12:07:24 +0200 Subject: [PATCH 020/153] imagePullPolicy: IfNotPresent --- template/stacks/ref-implementation/openbao/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 08b87dd..e1257ff 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -16,6 +16,7 @@ server: mountPath: /openbao/logs - name: logrotate image: imroc/logrotate:latest + imagePullPolicy: IfNotPresent env: - name: LOGROTATE_FILE_PATTERN value: "/var/log/nginx/nginx_*.log" From f6d18428764d6aeed575e67a25d18e353138b1ec Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 12:14:19 +0200 Subject: [PATCH 021/153] image: skymatic/logrotate:latest --- .../stacks/ref-implementation/openbao/values.yaml | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index e1257ff..59223a3 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -15,19 +15,7 @@ server: - name: host-log-storage mountPath: /openbao/logs - name: logrotate - image: imroc/logrotate:latest - imagePullPolicy: IfNotPresent - env: - - name: LOGROTATE_FILE_PATTERN - value: "/var/log/nginx/nginx_*.log" - - name: LOGROTATE_FILESIZE - value: "20M" - - name: LOGROTATE_FILENUM - value: "10" - - name: CRON_EXPR - value: "*/1 * * * *" - - name: CROND_LOGLEVEL - value: "7" + image: skymatic/logrotate:latest # command: ["/bin/sh", "-c", "while true; do /usr/sbin/logrotate /etc/logrotate.conf; sleep 60; done"] securityContext: runAsUser: 100 From e5ccae1aab0ab3a479aa15438346e2139aecdf70 Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 12:22:35 +0200 Subject: [PATCH 022/153] - name: logrotate-config mountPath: /etc/logrotate.conf subPath: logrotate.conf readOnly: true --- template/stacks/ref-implementation/openbao/values.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 59223a3..b7781e7 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -22,9 +22,10 @@ server: volumeMounts: - name: host-log-storage mountPath: /openbao/logs - # - name: logrotate-config - # mountPath: /etc/logrotate.conf - # subPath: logrotate.conf + - name: logrotate-config + mountPath: /etc/logrotate.conf + subPath: logrotate.conf + readOnly: true volumes: - name: log-storage emptyDir: {} From 0107666fe2ebaf173c63f1c918eb202dfe8ba5de Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 12:31:38 +0200 Subject: [PATCH 023/153] logrotate-config-volume --- template/stacks/ref-implementation/openbao/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index b7781e7..95143da 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -22,7 +22,7 @@ server: volumeMounts: - name: host-log-storage mountPath: /openbao/logs - - name: logrotate-config + - name: logrotate-config-volume mountPath: /etc/logrotate.conf subPath: logrotate.conf readOnly: true @@ -34,7 +34,7 @@ server: - name: config-volume configMap: name: sidecar-container-alloy-config - - name: config-logrotate + - name: logrotate-config-volume configMap: name: logrotate-config - name: host-log-storage From 631be775f5f43bed3d61fed7d2cd7aea1553afa1 Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 13:28:37 +0200 Subject: [PATCH 024/153] chown logrotate:logrotate /var/lib/logrotate.status --- .../grant-priviledges-to-logrotate.yaml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml diff --git a/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml b/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml new file mode 100644 index 0000000..7db4e5b --- /dev/null +++ b/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml @@ -0,0 +1,25 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: logrotate-priveledges + namespace: openbao +spec: + selector: + matchLabels: + app: ologrotate-priveledges + template: + metadata: + labels: + app: logrotate-priveledges + spec: + initContainers: + - name: creator + image: busybox + command: ["/bin/sh", "-c", "useradd -u 100 logrotate && tail -f /dev/null", "chown logrotate:logrotate /var/lib/logrotate.status"] + securityContext: + runAsUser: 0 + containers: + - name: running-container + image: busybox + command: ["sleep", "infinity"] + restartPolicy: Never \ No newline at end of file From bc6ed363e233a918eb38c66868841f14e92b3d2a Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 13:38:33 +0200 Subject: [PATCH 025/153] logrotate-priviledges --- .../openbao-logging/grant-priviledges-to-logrotate.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml b/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml index 7db4e5b..163cba2 100644 --- a/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml +++ b/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml @@ -1,21 +1,21 @@ apiVersion: apps/v1 kind: DaemonSet metadata: - name: logrotate-priveledges + name: logrotate-priviledges namespace: openbao spec: selector: matchLabels: - app: ologrotate-priveledges + app: logrotate-priviledges template: metadata: labels: - app: logrotate-priveledges + app: logrotate-priviledges spec: initContainers: - name: creator image: busybox - command: ["/bin/sh", "-c", "useradd -u 100 logrotate && tail -f /dev/null", "chown logrotate:logrotate /var/lib/logrotate.status"] + command: ["/bin/sh", "-c", "useradd -u 100 logrotate && tail -f /dev/null", "chown logrotate:logrotate /var/lib"] securityContext: runAsUser: 0 containers: From 5a802be864fecaa0113577103e435e58ba63d970 Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 13:45:05 +0200 Subject: [PATCH 026/153] - | set -e useradd -u 100 logrotate chown logrotate:logrotate /var/lib tail -f /dev/null --- .../openbao-logging/grant-priviledges-to-logrotate.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml b/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml index 163cba2..3c26b74 100644 --- a/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml +++ b/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml @@ -15,7 +15,13 @@ spec: initContainers: - name: creator image: busybox - command: ["/bin/sh", "-c", "useradd -u 100 logrotate && tail -f /dev/null", "chown logrotate:logrotate /var/lib"] + command: ["/bin/sh", "-c"] + args: + - | + set -e + useradd -u 100 logrotate + chown logrotate:logrotate /var/lib + tail -f /dev/null securityContext: runAsUser: 0 containers: From a42df6275cc8093c922230f5a4518142f0b71428 Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 13:50:24 +0200 Subject: [PATCH 027/153] restart policy removed --- .../openbao-logging/grant-priviledges-to-logrotate.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml b/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml index 3c26b74..4df2fcf 100644 --- a/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml +++ b/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml @@ -27,5 +27,4 @@ spec: containers: - name: running-container image: busybox - command: ["sleep", "infinity"] - restartPolicy: Never \ No newline at end of file + command: ["sleep", "infinity"] \ No newline at end of file From abd7da5cd32eb99d4e71406eff2011fca2d2d98a Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 13:58:12 +0200 Subject: [PATCH 028/153] image: alpine:latest --- .../openbao-logging/grant-priviledges-to-logrotate.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml b/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml index 4df2fcf..229e3d1 100644 --- a/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml +++ b/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml @@ -14,7 +14,7 @@ spec: spec: initContainers: - name: creator - image: busybox + image: alpine:latest command: ["/bin/sh", "-c"] args: - | From f13bf825ff92787dcf08a1b738ea014f135ee25a Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 14:03:43 +0200 Subject: [PATCH 029/153] set -e chown 100:100 /var/lib tail -f /dev/null --- .../openbao-logging/grant-priviledges-to-logrotate.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml b/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml index 229e3d1..abe7aa9 100644 --- a/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml +++ b/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml @@ -19,8 +19,7 @@ spec: args: - | set -e - useradd -u 100 logrotate - chown logrotate:logrotate /var/lib + chown 100:100 /var/lib tail -f /dev/null securityContext: runAsUser: 0 From 63b17c9e32e9853fbe44b2c5f560d22c5d2cb10d Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 14:10:34 +0200 Subject: [PATCH 030/153] echo "logrotate:x:100:100::/home/logrotate:/bin/sh" >> /etc/passwd echo "logrotate:x:100:" >> /etc/group --- .../openbao-logging/grant-priviledges-to-logrotate.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml b/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml index abe7aa9..31f85ae 100644 --- a/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml +++ b/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml @@ -19,7 +19,9 @@ spec: args: - | set -e - chown 100:100 /var/lib + echo "logrotate:x:100:100::/home/logrotate:/bin/sh" >> /etc/passwd + echo "logrotate:x:100:" >> /etc/group + chown logrotate:logrotate /var/lib tail -f /dev/null securityContext: runAsUser: 0 From fd02d55ddad322db896a84f4f577dd0d9f8fcf37 Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 14:26:58 +0200 Subject: [PATCH 031/153] bao audit enable file file_path=stdout --- template/stacks/ref-implementation/openbao/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 95143da..a470528 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -63,7 +63,7 @@ server: echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt bao login $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}') rm /tmp/init.txt - # bao audit enable file file_path=stdout + bao audit enable file file_path=stdout bao audit enable -path="file" file file_path=/openbao/logs/openbao/openbao.log ui: enabled: true From 6f3effeaf5cf54569ebd882820b23dbb6a41a1a2 Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 14:49:09 +0200 Subject: [PATCH 032/153] # bao audit enable file file_path=stdout --- template/stacks/ref-implementation/openbao/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index a470528..95143da 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -63,7 +63,7 @@ server: echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt bao login $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}') rm /tmp/init.txt - bao audit enable file file_path=stdout + # bao audit enable file file_path=stdout bao audit enable -path="file" file file_path=/openbao/logs/openbao/openbao.log ui: enabled: true From 888d32c40317431319b18e413ce53d7d055cbe04 Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 14:49:48 +0200 Subject: [PATCH 033/153] set -e mkdir -p /var/log/openbao chown 100:100 /var/log/openbao echo "logrotate:x:100:100::/home/logrotate:/bin/sh" >> /etc/passwd echo "logrotate:x:100:" >> /etc/group chown logrotate:logrotate /var/lib --- .../openbao-logging/create-logging-directory.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml index b46e3c0..ced2059 100644 --- a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml +++ b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml @@ -20,7 +20,10 @@ spec: - | set -e mkdir -p /var/log/openbao - chown 100:100 /var/log/openbao + chown 100:100 /var/log/openbao + echo "logrotate:x:100:100::/home/logrotate:/bin/sh" >> /etc/passwd + echo "logrotate:x:100:" >> /etc/group + chown logrotate:logrotate /var/lib securityContext: runAsUser: 0 volumeMounts: From ba9452e03c9ed0fa7e1219f68b9519032084797a Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 14:55:39 +0200 Subject: [PATCH 034/153] chown 100:100 /var/lib --- .../openbao-logging/create-logging-directory.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml index ced2059..d46c6c5 100644 --- a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml +++ b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml @@ -23,7 +23,7 @@ spec: chown 100:100 /var/log/openbao echo "logrotate:x:100:100::/home/logrotate:/bin/sh" >> /etc/passwd echo "logrotate:x:100:" >> /etc/group - chown logrotate:logrotate /var/lib + chown 100:100 /var/lib securityContext: runAsUser: 0 volumeMounts: From 8eae08aaa9990394181c465c2694f1aa24ed6ef3 Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 15:04:11 +0200 Subject: [PATCH 035/153] securityContext: runAsUser: 0 --- .../openbao-logging/create-logging-directory.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml index d46c6c5..6f9c4d8 100644 --- a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml +++ b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml @@ -23,6 +23,7 @@ spec: chown 100:100 /var/log/openbao echo "logrotate:x:100:100::/home/logrotate:/bin/sh" >> /etc/passwd echo "logrotate:x:100:" >> /etc/group + mkdir -p /home/logrotate chown 100:100 /var/lib securityContext: runAsUser: 0 @@ -33,6 +34,8 @@ spec: - name: running-container image: busybox command: ["sleep", "infinity"] + securityContext: + runAsUser: 0 volumes: - name: host-log hostPath: From 458414e779ce7e11dc5e8e18ee101d2a6cc02718 Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 15:09:30 +0200 Subject: [PATCH 036/153] set -e mkdir -p /var/log/openbao chown 100:100 /var/log/openbao echo "logrotate:x:100:100::/home/logrotate:/bin/sh" >> /etc/passwd echo "logrotate:x:100:" >> /etc/group mkdir -p /home/logrotate # chown 100:100 /var/lib --- .../openbao-logging/create-logging-directory.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml index 6f9c4d8..c23d426 100644 --- a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml +++ b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml @@ -24,7 +24,7 @@ spec: echo "logrotate:x:100:100::/home/logrotate:/bin/sh" >> /etc/passwd echo "logrotate:x:100:" >> /etc/group mkdir -p /home/logrotate - chown 100:100 /var/lib + # chown 100:100 /var/lib securityContext: runAsUser: 0 volumeMounts: From 56c5cc2620d8beb101e6ab31e29ff3e3fbb921ac Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 15:24:21 +0200 Subject: [PATCH 037/153] - name: alloy-data mountPath: /var/lib/ --- template/stacks/ref-implementation/openbao/values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 95143da..ad44336 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -20,6 +20,8 @@ server: securityContext: runAsUser: 100 volumeMounts: + - name: alloy-data + mountPath: /var/lib/ - name: host-log-storage mountPath: /openbao/logs - name: logrotate-config-volume From ce5bdf0226df08798113349f191f39f77572be54 Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 15:35:06 +0200 Subject: [PATCH 038/153] runAsUser: 1 --- template/stacks/ref-implementation/openbao/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index ad44336..0d6d7b6 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -18,7 +18,7 @@ server: image: skymatic/logrotate:latest # command: ["/bin/sh", "-c", "while true; do /usr/sbin/logrotate /etc/logrotate.conf; sleep 60; done"] securityContext: - runAsUser: 100 + runAsUser: 1 volumeMounts: - name: alloy-data mountPath: /var/lib/ From f66f437cdfbe8954722baa260dec69cbf01c10b5 Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 15:48:42 +0200 Subject: [PATCH 039/153] runAsUser: 100 --- template/stacks/ref-implementation/openbao/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 0d6d7b6..ad44336 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -18,7 +18,7 @@ server: image: skymatic/logrotate:latest # command: ["/bin/sh", "-c", "while true; do /usr/sbin/logrotate /etc/logrotate.conf; sleep 60; done"] securityContext: - runAsUser: 1 + runAsUser: 100 volumeMounts: - name: alloy-data mountPath: /var/lib/ From 1164768b9fba717da555657daaed97d7e051022a Mon Sep 17 00:00:00 2001 From: miwr Date: Mon, 31 Mar 2025 15:53:54 +0200 Subject: [PATCH 040/153] runAsUser: 1 --- template/stacks/ref-implementation/openbao/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index ad44336..0d6d7b6 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -18,7 +18,7 @@ server: image: skymatic/logrotate:latest # command: ["/bin/sh", "-c", "while true; do /usr/sbin/logrotate /etc/logrotate.conf; sleep 60; done"] securityContext: - runAsUser: 100 + runAsUser: 1 volumeMounts: - name: alloy-data mountPath: /var/lib/ From 4f8eb0bc8b2731a715091f9d6c8ec5f2918792d6 Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 1 Apr 2025 10:05:55 +0200 Subject: [PATCH 041/153] chmod o+rwx /var/log/openbao --- .../openbao-logging/create-logging-directory.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml index c23d426..51de6ff 100644 --- a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml +++ b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml @@ -21,6 +21,7 @@ spec: set -e mkdir -p /var/log/openbao chown 100:100 /var/log/openbao + chmod o+rwx /var/log/openbao echo "logrotate:x:100:100::/home/logrotate:/bin/sh" >> /etc/passwd echo "logrotate:x:100:" >> /etc/group mkdir -p /home/logrotate From 06fb6d223f0482dcf9904632c45113fec0c1a5b2 Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 1 Apr 2025 10:21:07 +0200 Subject: [PATCH 042/153] runAsUser: 100 --- template/stacks/ref-implementation/openbao/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 0d6d7b6..ad44336 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -18,7 +18,7 @@ server: image: skymatic/logrotate:latest # command: ["/bin/sh", "-c", "while true; do /usr/sbin/logrotate /etc/logrotate.conf; sleep 60; done"] securityContext: - runAsUser: 1 + runAsUser: 100 volumeMounts: - name: alloy-data mountPath: /var/lib/ From 6df0858cdf12dc506276bcaff9ece31390524741 Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 1 Apr 2025 10:45:20 +0200 Subject: [PATCH 043/153] - name: init image: alpine:latest --- .../stacks/ref-implementation/openbao/values.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index ad44336..ff02f55 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -1,5 +1,17 @@ server: shareProcessNamespace: true + extraInitContainers: + - name: init + image: alpine:latest + securityContext: + runAsUser: 0 + volumeMounts: + - name: alloy-data + mountPath: /var/lib/alloy + - name: config-volume + mountPath: /etc/alloy + - name: host-log-storage + mountPath: /openbao/logs extraContainers: - name: grafana-alloy image: grafana/alloy:latest From 77b571b768a3e5636a970a94c037c53da4b3f8e4 Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 1 Apr 2025 10:50:59 +0200 Subject: [PATCH 044/153] chown 100:100 /etc/passwd --- .../openbao-logging/create-logging-directory.yaml | 1 + .../stacks/ref-implementation/openbao/values.yaml | 12 ------------ 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml index 51de6ff..e5d92c7 100644 --- a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml +++ b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml @@ -21,6 +21,7 @@ spec: set -e mkdir -p /var/log/openbao chown 100:100 /var/log/openbao + chown 100:100 /etc/passwd chmod o+rwx /var/log/openbao echo "logrotate:x:100:100::/home/logrotate:/bin/sh" >> /etc/passwd echo "logrotate:x:100:" >> /etc/group diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index ff02f55..ad44336 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -1,17 +1,5 @@ server: shareProcessNamespace: true - extraInitContainers: - - name: init - image: alpine:latest - securityContext: - runAsUser: 0 - volumeMounts: - - name: alloy-data - mountPath: /var/lib/alloy - - name: config-volume - mountPath: /etc/alloy - - name: host-log-storage - mountPath: /openbao/logs extraContainers: - name: grafana-alloy image: grafana/alloy:latest From 12a4ed37f72a96642376f8022a32a6aae1c6de3a Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 1 Apr 2025 10:51:43 +0200 Subject: [PATCH 045/153] /etc/group --- .../openbao-logging/create-logging-directory.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml index e5d92c7..710f060 100644 --- a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml +++ b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml @@ -22,6 +22,7 @@ spec: mkdir -p /var/log/openbao chown 100:100 /var/log/openbao chown 100:100 /etc/passwd + chown 100:100 /etc/group chmod o+rwx /var/log/openbao echo "logrotate:x:100:100::/home/logrotate:/bin/sh" >> /etc/passwd echo "logrotate:x:100:" >> /etc/group From 2dc751b5e369f4886d8620d08b5e15e4b33fb14e Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 1 Apr 2025 10:59:09 +0200 Subject: [PATCH 046/153] chmod o+rwx /etc/passwd chmod o+rwx /etc/group --- .../openbao-logging/create-logging-directory.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml index 710f060..8a3d478 100644 --- a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml +++ b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml @@ -21,8 +21,8 @@ spec: set -e mkdir -p /var/log/openbao chown 100:100 /var/log/openbao - chown 100:100 /etc/passwd - chown 100:100 /etc/group + chmod o+rwx /etc/passwd + chmod o+rwx /etc/group chmod o+rwx /var/log/openbao echo "logrotate:x:100:100::/home/logrotate:/bin/sh" >> /etc/passwd echo "logrotate:x:100:" >> /etc/group From cda3fc817978b09b4e59874f01798dac1c1b24c5 Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 1 Apr 2025 11:15:20 +0200 Subject: [PATCH 047/153] extraArgs: - chmod o+rwx /etc/passwd - chmod o+rwx /etc/group --- template/stacks/ref-implementation/openbao/values.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index ad44336..95e7a5a 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -49,6 +49,10 @@ server: name: host-log-storage readOnly: false + extraArgs: + - chmod o+rwx /etc/passwd + - chmod o+rwx /etc/group + postStart: - sh - -c From de3194062db60ac434ab4796ef05a6e34df4d990 Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 1 Apr 2025 11:16:07 +0200 Subject: [PATCH 048/153] extraArgs: - | chmod o+rwx /etc/passwd chmod o+rwx /etc/group --- template/stacks/ref-implementation/openbao/values.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 95e7a5a..7442ad3 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -50,8 +50,9 @@ server: readOnly: false extraArgs: - - chmod o+rwx /etc/passwd - - chmod o+rwx /etc/group + - | + chmod o+rwx /etc/passwd + chmod o+rwx /etc/group postStart: - sh From d3b60c036a0f5d263ad85cdc2b90293a4a23323c Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 1 Apr 2025 11:20:56 +0200 Subject: [PATCH 049/153] extraArgs: "chmod o+rwx /etc/passwd" --- template/stacks/ref-implementation/openbao/values.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 7442ad3..f83bb6c 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -49,10 +49,7 @@ server: name: host-log-storage readOnly: false - extraArgs: - - | - chmod o+rwx /etc/passwd - chmod o+rwx /etc/group + extraArgs: "chmod o+rwx /etc/passwd" postStart: - sh From ad761950047d793c301bb86fdfd9831862582252 Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 1 Apr 2025 11:35:26 +0200 Subject: [PATCH 050/153] passwd-user-configmap --- .../openbao-logging/user-configmap.yaml | 9 +++++++++ template/stacks/ref-implementation/openbao/values.yaml | 6 ++++++ 2 files changed, 15 insertions(+) create mode 100644 template/stacks/ref-implementation/openbao-logging/user-configmap.yaml diff --git a/template/stacks/ref-implementation/openbao-logging/user-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/user-configmap.yaml new file mode 100644 index 0000000..be18240 --- /dev/null +++ b/template/stacks/ref-implementation/openbao-logging/user-configmap.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: passwd-user-configmap +data: + passwd: | + root:x:0:0:root:/root:/bin/sh + openbao:x:100:1000::/home/openbao:/sbin/nologin + logrotate:x:100:100::/home/logrotate:/bin/sh \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index f83bb6c..701a6d3 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -39,6 +39,9 @@ server: - name: logrotate-config-volume configMap: name: logrotate-config + - name: passwd-volume + configMap: + name: passwd-user-configmap - name: host-log-storage hostPath: path: /var/log @@ -48,6 +51,9 @@ server: - mountPath: /openbao/logs name: host-log-storage readOnly: false + - mountPath: /etc/passwd + name: passwd-volume + subPath: passwd extraArgs: "chmod o+rwx /etc/passwd" From 37a9a73664814508873aceb0c33441d359b68a28 Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 1 Apr 2025 11:44:19 +0200 Subject: [PATCH 051/153] - name: passwd-volume mountPath: /etc/passwd subPath: passwd --- template/stacks/ref-implementation/openbao/values.yaml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 701a6d3..c1bc63d 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -28,6 +28,9 @@ server: mountPath: /etc/logrotate.conf subPath: logrotate.conf readOnly: true + - name: passwd-volume + mountPath: /etc/passwd + subPath: passwd volumes: - name: log-storage emptyDir: {} @@ -51,11 +54,6 @@ server: - mountPath: /openbao/logs name: host-log-storage readOnly: false - - mountPath: /etc/passwd - name: passwd-volume - subPath: passwd - - extraArgs: "chmod o+rwx /etc/passwd" postStart: - sh From 7cc75f0095bb4a299b2a91cddfe35d1d7d4bbb33 Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 1 Apr 2025 11:44:52 +0200 Subject: [PATCH 052/153] test --- .../ref-implementation/openbao-logging/user-configmap.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/user-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/user-configmap.yaml index be18240..d410b83 100644 --- a/template/stacks/ref-implementation/openbao-logging/user-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/user-configmap.yaml @@ -5,5 +5,4 @@ metadata: data: passwd: | root:x:0:0:root:/root:/bin/sh - openbao:x:100:1000::/home/openbao:/sbin/nologin - logrotate:x:100:100::/home/logrotate:/bin/sh \ No newline at end of file + openbao:x:100:1000::/home/openbao:/sbin/nologin \ No newline at end of file From c9d72e9f90ebfbfdabe8fa9e463b0e6a6af9205d Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 1 Apr 2025 11:57:46 +0200 Subject: [PATCH 053/153] should be done --- .../grant-priviledges-to-logrotate.yaml | 31 ------------------- .../openbao-logging/logrotate-configmap.yaml | 4 +-- ...figmap.yaml => passwd-user-configmap.yaml} | 0 .../sidecar-container-alloy-configmap.yaml | 25 --------------- .../ref-implementation/openbao/values.yaml | 25 +-------------- 5 files changed, 3 insertions(+), 82 deletions(-) delete mode 100644 template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml rename template/stacks/ref-implementation/openbao-logging/{user-configmap.yaml => passwd-user-configmap.yaml} (100%) delete mode 100644 template/stacks/ref-implementation/openbao-logging/sidecar-container-alloy-configmap.yaml diff --git a/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml b/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml deleted file mode 100644 index 31f85ae..0000000 --- a/template/stacks/ref-implementation/openbao-logging/grant-priviledges-to-logrotate.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: logrotate-priviledges - namespace: openbao -spec: - selector: - matchLabels: - app: logrotate-priviledges - template: - metadata: - labels: - app: logrotate-priviledges - spec: - initContainers: - - name: creator - image: alpine:latest - command: ["/bin/sh", "-c"] - args: - - | - set -e - echo "logrotate:x:100:100::/home/logrotate:/bin/sh" >> /etc/passwd - echo "logrotate:x:100:" >> /etc/group - chown logrotate:logrotate /var/lib - tail -f /dev/null - securityContext: - runAsUser: 0 - containers: - - name: running-container - image: busybox - command: ["sleep", "infinity"] \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml index 7cab8de..69ee171 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml @@ -5,13 +5,13 @@ metadata: data: logrotate.conf: | /openbao/logs/openbao/*.log { - size 5k + size 100M rotate 7 compress + delaycompress missingok notifempty postrotate - mkdir pupa kill -SIGHUP $(pidof bao) endscript } \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao-logging/user-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/passwd-user-configmap.yaml similarity index 100% rename from template/stacks/ref-implementation/openbao-logging/user-configmap.yaml rename to template/stacks/ref-implementation/openbao-logging/passwd-user-configmap.yaml diff --git a/template/stacks/ref-implementation/openbao-logging/sidecar-container-alloy-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/sidecar-container-alloy-configmap.yaml deleted file mode 100644 index b0129a6..0000000 --- a/template/stacks/ref-implementation/openbao-logging/sidecar-container-alloy-configmap.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: sidecar-container-alloy-config -data: - config.alloy: | - logging { - level = "info" - format = "logfmt" - } - loki.write "local_loki" { - endpoint { - url = "http://loki-loki-distributed-gateway.monitoring.svc.cluster.local/loki/api/v1/push" - } - } - - local.file_match "applogs" { - path_targets = [{"__path__" = "/openbao/logs/*"}] - sync_period = "5s" - } - - loki.source.file "openbao_logs" { - targets = local.file_match.applogs.targets - forward_to = [loki.write.local_loki.receiver] - } \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index c1bc63d..474f26c 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -1,27 +1,11 @@ server: shareProcessNamespace: true extraContainers: - - name: grafana-alloy - image: grafana/alloy:latest - ports: - - containerPort: 12345 - securityContext: - runAsUser: 100 - volumeMounts: - - name: alloy-data - mountPath: /var/lib/alloy - - name: config-volume - mountPath: /etc/alloy - - name: host-log-storage - mountPath: /openbao/logs - name: logrotate - image: skymatic/logrotate:latest - # command: ["/bin/sh", "-c", "while true; do /usr/sbin/logrotate /etc/logrotate.conf; sleep 60; done"] + image: skymatic/logrotate:latest # MIT License securityContext: runAsUser: 100 volumeMounts: - - name: alloy-data - mountPath: /var/lib/ - name: host-log-storage mountPath: /openbao/logs - name: logrotate-config-volume @@ -32,13 +16,6 @@ server: mountPath: /etc/passwd subPath: passwd volumes: - - name: log-storage - emptyDir: {} - - name: alloy-data - emptyDir: {} - - name: config-volume - configMap: - name: sidecar-container-alloy-config - name: logrotate-config-volume configMap: name: logrotate-config From fc6ee8bcae24b18ebe39a6781f185a9cc8dabdff Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 1 Apr 2025 12:53:31 +0200 Subject: [PATCH 054/153] 1M --- .../openbao-logging/create-logging-directory.yaml | 9 +-------- .../openbao-logging/logrotate-configmap.yaml | 2 +- 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml index 8a3d478..61f45ef 100644 --- a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml +++ b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml @@ -20,14 +20,7 @@ spec: - | set -e mkdir -p /var/log/openbao - chown 100:100 /var/log/openbao - chmod o+rwx /etc/passwd - chmod o+rwx /etc/group - chmod o+rwx /var/log/openbao - echo "logrotate:x:100:100::/home/logrotate:/bin/sh" >> /etc/passwd - echo "logrotate:x:100:" >> /etc/group - mkdir -p /home/logrotate - # chown 100:100 /var/lib + chown 100:100 /var/log/openbao securityContext: runAsUser: 0 volumeMounts: diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml index 69ee171..586c688 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml @@ -5,7 +5,7 @@ metadata: data: logrotate.conf: | /openbao/logs/openbao/*.log { - size 100M + size 1M rotate 7 compress delaycompress From ee630c88b910458b40f78f623f903098bff10eea Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 1 Apr 2025 13:18:44 +0200 Subject: [PATCH 055/153] env: - name: CRON_SCHEDULE value: "0 * * * *" - name: TINI_SUBREAPER value: --- template/stacks/ref-implementation/openbao/values.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 474f26c..be965b9 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -5,6 +5,11 @@ server: image: skymatic/logrotate:latest # MIT License securityContext: runAsUser: 100 + env: + - name: CRON_SCHEDULE + value: "0 * * * *" + - name: TINI_SUBREAPER + value: volumeMounts: - name: host-log-storage mountPath: /openbao/logs From 7b8ea2de6b88e0caf3ca5be756a8e6409ead1254 Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 1 Apr 2025 13:28:10 +0200 Subject: [PATCH 056/153] status --- template/stacks/ref-implementation/openbao/values.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index be965b9..15d396d 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -17,6 +17,8 @@ server: mountPath: /etc/logrotate.conf subPath: logrotate.conf readOnly: true + - name: status + mountPath: /var/lib - name: passwd-volume mountPath: /etc/passwd subPath: passwd @@ -27,6 +29,8 @@ server: - name: passwd-volume configMap: name: passwd-user-configmap + - name: status + emptyDir: {} - name: host-log-storage hostPath: path: /var/log From 29ec426778d500ed5903513845edd835d990782b Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 1 Apr 2025 13:36:33 +0200 Subject: [PATCH 057/153] delaycompress rmoved --- .../ref-implementation/openbao-logging/logrotate-configmap.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml index 586c688..0892d64 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml @@ -8,7 +8,6 @@ data: size 1M rotate 7 compress - delaycompress missingok notifempty postrotate From 5200aa748ce66d69931733d5b9dafe26af90677e Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 1 Apr 2025 13:53:08 +0200 Subject: [PATCH 058/153] 5k --- .../ref-implementation/openbao-logging/logrotate-configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml index 0892d64..391afed 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml @@ -5,7 +5,7 @@ metadata: data: logrotate.conf: | /openbao/logs/openbao/*.log { - size 1M + size 5k rotate 7 compress missingok From 71a45cc0b8808082b42fc8110c2a47782d849238 Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 1 Apr 2025 14:04:13 +0200 Subject: [PATCH 059/153] value: "* * * * *" --- template/stacks/ref-implementation/openbao/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 15d396d..4311e87 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -7,7 +7,7 @@ server: runAsUser: 100 env: - name: CRON_SCHEDULE - value: "0 * * * *" + value: "* * * * *" - name: TINI_SUBREAPER value: volumeMounts: From 485e7720165bd0a7ed9fb3264242f63a735d0402 Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 1 Apr 2025 14:11:35 +0200 Subject: [PATCH 060/153] # - name: status # mountPath: /var/lib --- template/stacks/ref-implementation/openbao/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 4311e87..9653e25 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -17,8 +17,8 @@ server: mountPath: /etc/logrotate.conf subPath: logrotate.conf readOnly: true - - name: status - mountPath: /var/lib + # - name: status + # mountPath: /var/lib - name: passwd-volume mountPath: /etc/passwd subPath: passwd From b5a515c6f9ed165d69531419705405c8da063d88 Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 1 Apr 2025 14:44:46 +0200 Subject: [PATCH 061/153] imroc/logrotate:latest --- .../stacks/ref-implementation/openbao/values.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 9653e25..1a8b164 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -22,6 +22,20 @@ server: - name: passwd-volume mountPath: /etc/passwd subPath: passwd + - name: logrotate + image: imroc/logrotate:latest + imagePullPolicy: IfNotPresent + env: + - name: LOGROTATE_FILE_PATTERN + value: "/openbao/logs/openbao/*.log" + - name: LOGROTATE_FILESIZE + value: "5k" + - name: LOGROTATE_FILENUM + value: "10" + - name: CRON_EXPR + value: "*/1 * * * *" + - name: CROND_LOGLEVEL + value: "7" volumes: - name: logrotate-config-volume configMap: From 49fdf90dd8b7ec72b64d74b91413ebf1a646dcb4 Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 1 Apr 2025 14:49:40 +0200 Subject: [PATCH 062/153] - name: logrotate2 --- template/stacks/ref-implementation/openbao/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 1a8b164..2b0c7aa 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -22,7 +22,7 @@ server: - name: passwd-volume mountPath: /etc/passwd subPath: passwd - - name: logrotate + - name: logrotate2 image: imroc/logrotate:latest imagePullPolicy: IfNotPresent env: From a2d2bd9b87d16a32404ab59f5aacc00aa7beb257 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 2 Apr 2025 08:59:29 +0200 Subject: [PATCH 063/153] volumeMounts: - name: host-log-storage mountPath: /openbao/logs --- template/stacks/ref-implementation/openbao/values.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 2b0c7aa..71c2593 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -36,6 +36,9 @@ server: value: "*/1 * * * *" - name: CROND_LOGLEVEL value: "7" + volumeMounts: + - name: host-log-storage + mountPath: /openbao/logs volumes: - name: logrotate-config-volume configMap: From 48fb2c1481d4cd430386df3404371050be906b48 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 2 Apr 2025 09:53:08 +0200 Subject: [PATCH 064/153] size 1M --- .../ref-implementation/openbao-logging/logrotate-configmap.yaml | 2 +- template/stacks/ref-implementation/openbao/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml index 391afed..0892d64 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml @@ -5,7 +5,7 @@ metadata: data: logrotate.conf: | /openbao/logs/openbao/*.log { - size 5k + size 1M rotate 7 compress missingok diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 71c2593..67f6ec6 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -29,7 +29,7 @@ server: - name: LOGROTATE_FILE_PATTERN value: "/openbao/logs/openbao/*.log" - name: LOGROTATE_FILESIZE - value: "5k" + value: "1M" - name: LOGROTATE_FILENUM value: "10" - name: CRON_EXPR From ca9fd7ba39a1a16b8d2da7486dc9aac294f44477 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 2 Apr 2025 10:08:07 +0200 Subject: [PATCH 065/153] - name: status mountPath: /var/lib --- template/stacks/ref-implementation/openbao/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 67f6ec6..1df2fbb 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -17,8 +17,8 @@ server: mountPath: /etc/logrotate.conf subPath: logrotate.conf readOnly: true - # - name: status - # mountPath: /var/lib + - name: status + mountPath: /var/lib - name: passwd-volume mountPath: /etc/passwd subPath: passwd From 5db72e2dc0e457897b0cfe1d325dc36255375b39 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 2 Apr 2025 10:43:10 +0200 Subject: [PATCH 066/153] cronjob --- .../openbao-logging/logrotate-cronjob.yaml | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml new file mode 100644 index 0000000..12ff152 --- /dev/null +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml @@ -0,0 +1,43 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: example-cronjob + namespace: openbao +spec: + schedule: "*/2 * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: logrotate + image: skymatic/logrotate:latest + securityContext: + runAsUser: 100 + command: ["/bin/sh", "-c", "logrotate /etc/logrotate.conf"] + volumeMounts: + - name: host-log-storage + mountPath: /openbao/logs + - name: logrotate-config-volume + mountPath: /etc/logrotate.conf + subPath: logrotate.conf + readOnly: true + - name: passwd-volume + mountPath: /etc/passwd + subPath: passwd + - name: status + mountPath: /var/lib + restartPolicy: OnFailure + volumes: + - name: host-log-storage + hostPath: + path: /var/log + type: Directory + - name: logrotate-config-volume + configMap: + name: logrotate-config + - name: passwd-volume + configMap: + name: passwd-user-configmap + - name: status + emptyDir: {} \ No newline at end of file From 1a85de6cda6a118f2a3cab1cc29d549656d7b02e Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 2 Apr 2025 11:03:54 +0200 Subject: [PATCH 067/153] 5k --- .../ref-implementation/openbao-logging/logrotate-configmap.yaml | 2 +- .../ref-implementation/openbao-logging/logrotate-cronjob.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml index 0892d64..391afed 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml @@ -5,7 +5,7 @@ metadata: data: logrotate.conf: | /openbao/logs/openbao/*.log { - size 1M + size 5k rotate 7 compress missingok diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml index 12ff152..7fed4c3 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml @@ -14,7 +14,7 @@ spec: image: skymatic/logrotate:latest securityContext: runAsUser: 100 - command: ["/bin/sh", "-c", "logrotate /etc/logrotate.conf"] + command: ["/bin/sh", "-c", "logrotate /etc/logrotate.conf && sleep 1000000"] volumeMounts: - name: host-log-storage mountPath: /openbao/logs From c754dc80bc019de119a7bb37fad920a2c300aa80 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 2 Apr 2025 13:32:15 +0200 Subject: [PATCH 068/153] signal-sidecar-script --- .../sidecar-script-configmap.yaml | 15 +++++++++ .../ref-implementation/openbao/values.yaml | 32 +++++++++---------- 2 files changed, 31 insertions(+), 16 deletions(-) create mode 100644 template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml diff --git a/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml new file mode 100644 index 0000000..b7cfd87 --- /dev/null +++ b/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: signal-sidecar-script + namespace: openbao +data: + sidecar.sh: | + #!/bin/sh + echo "Starting sidecar listener on port 8080..." + while true; do + # Listen for an HTTP request (basic netcat-based server) + echo -e "HTTP/1.1 200 OK\n\nSIGHUP sent to OpenBAO" | nc -l -p 8080 -q 1 + # Send SIGHUP signal + kill -SIGHUP $(pidof bao) || echo "OpenBAO process not found" + done diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 1df2fbb..5092396 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -23,22 +23,18 @@ server: mountPath: /etc/passwd subPath: passwd - name: logrotate2 - image: imroc/logrotate:latest - imagePullPolicy: IfNotPresent - env: - - name: LOGROTATE_FILE_PATTERN - value: "/openbao/logs/openbao/*.log" - - name: LOGROTATE_FILESIZE - value: "1M" - - name: LOGROTATE_FILENUM - value: "10" - - name: CRON_EXPR - value: "*/1 * * * *" - - name: CROND_LOGLEVEL - value: "7" + image: apline:latest + command: ["/bin/sh", "-c", "chmod +x /app/sidecar.sh && /app/sidecar.sh"] + securityContext: + runAsUser: 100 + ports: + - containerPort: 8080 volumeMounts: - - name: host-log-storage - mountPath: /openbao/logs + - name: passwd-volume + mountPath: /etc/passwd + subPath: passwd + - name: sidecar-script + mountPath: /app volumes: - name: logrotate-config-volume configMap: @@ -51,7 +47,11 @@ server: - name: host-log-storage hostPath: path: /var/log - type: Directory + type: Directory + - name: sidecar-script + configMap: + name: signal-sidecar-script + defaultMode: 0755 volumeMounts: - mountPath: /openbao/logs From 795d575d5e999bdcc513a4fa533e7a03ba06bf51 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 2 Apr 2025 13:38:34 +0200 Subject: [PATCH 069/153] kill -SIGHUP $(pidof bao) || echo "OpenBAO process not found" mkdir pupa --- .../openbao-logging/sidecar-script-configmap.yaml | 1 + template/stacks/ref-implementation/openbao/values.yaml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml index b7cfd87..50119d8 100644 --- a/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml @@ -12,4 +12,5 @@ data: echo -e "HTTP/1.1 200 OK\n\nSIGHUP sent to OpenBAO" | nc -l -p 8080 -q 1 # Send SIGHUP signal kill -SIGHUP $(pidof bao) || echo "OpenBAO process not found" + mkdir pupa done diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 5092396..74b4f58 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -23,7 +23,7 @@ server: mountPath: /etc/passwd subPath: passwd - name: logrotate2 - image: apline:latest + image: alpine:latest command: ["/bin/sh", "-c", "chmod +x /app/sidecar.sh && /app/sidecar.sh"] securityContext: runAsUser: 100 From cfb473659d5513aae76827ade985c0505daaa410 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 2 Apr 2025 13:46:04 +0200 Subject: [PATCH 070/153] command: ["/bin/sh", "-c", "sleep 1000000000000000000000"] --- .../openbao-logging/sidecar-script-service.yaml | 12 ++++++++++++ .../stacks/ref-implementation/openbao/values.yaml | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml diff --git a/template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml b/template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml new file mode 100644 index 0000000..3c5462c --- /dev/null +++ b/template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: sidecar-script-service + namespace: openbao +spec: + selector: + app: logrotate2 + ports: + - protocol: TCP + port: 8080 + targetPort: 8080 diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 74b4f58..81a48ab 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -24,7 +24,7 @@ server: subPath: passwd - name: logrotate2 image: alpine:latest - command: ["/bin/sh", "-c", "chmod +x /app/sidecar.sh && /app/sidecar.sh"] + command: ["/bin/sh", "-c", "sleep 1000000000000000000000"] securityContext: runAsUser: 100 ports: From 0f229f7adb1737aaf78d720b4dc886a1cbf93a76 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 2 Apr 2025 13:51:28 +0200 Subject: [PATCH 071/153] sleep infinity --- template/stacks/ref-implementation/openbao/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 81a48ab..b0b69b9 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -24,7 +24,7 @@ server: subPath: passwd - name: logrotate2 image: alpine:latest - command: ["/bin/sh", "-c", "sleep 1000000000000000000000"] + command: ["/bin/sh", "-c", "sleep infinity"] securityContext: runAsUser: 100 ports: From 4553289695cd0fbd8753c7c513a27acccb261fa5 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 2 Apr 2025 13:59:01 +0200 Subject: [PATCH 072/153] tmp --- template/stacks/ref-implementation/openbao/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index b0b69b9..0afc278 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -34,7 +34,7 @@ server: mountPath: /etc/passwd subPath: passwd - name: sidecar-script - mountPath: /app + mountPath: /tmp volumes: - name: logrotate-config-volume configMap: From 8b6b29cb9f15c53371ec36d0392811e7ab3cff29 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 2 Apr 2025 14:21:28 +0200 Subject: [PATCH 073/153] sleep infinity --- .../openbao-logging/logrotate-cronjob.yaml | 2 +- .../openbao-logging/sidecar-script-configmap.yaml | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml index 7fed4c3..67b1bd9 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml @@ -14,7 +14,7 @@ spec: image: skymatic/logrotate:latest securityContext: runAsUser: 100 - command: ["/bin/sh", "-c", "logrotate /etc/logrotate.conf && sleep 1000000"] + command: ["/bin/sh", "-c", "logrotate /etc/logrotate.conf && sleep infinity"] volumeMounts: - name: host-log-storage mountPath: /openbao/logs diff --git a/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml index 50119d8..13cd909 100644 --- a/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml @@ -8,9 +8,7 @@ data: #!/bin/sh echo "Starting sidecar listener on port 8080..." while true; do - # Listen for an HTTP request (basic netcat-based server) - echo -e "HTTP/1.1 200 OK\n\nSIGHUP sent to OpenBAO" | nc -l -p 8080 -q 1 - # Send SIGHUP signal + echo -e "HTTP/1.1 200 OK\n\nSIGHUP sent to OpenBAO" | nc -l -p 8080 kill -SIGHUP $(pidof bao) || echo "OpenBAO process not found" - mkdir pupa + mkdir /tmp/pupa done From 853ce17354d0f52d690cdcf983b20d02bd8587aa Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 2 Apr 2025 14:39:56 +0200 Subject: [PATCH 074/153] app: openbao-0 --- .../openbao-logging/sidecar-script-service.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml b/template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml index 3c5462c..cb44183 100644 --- a/template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml +++ b/template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml @@ -5,7 +5,7 @@ metadata: namespace: openbao spec: selector: - app: logrotate2 + app: openbao-0 ports: - protocol: TCP port: 8080 From a11947c5e7cac263902dc73fae9c43a9ed4445e0 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 2 Apr 2025 14:40:13 +0200 Subject: [PATCH 075/153] kill -SIGHUP $(pidof bao) || echo "OpenBAO process not found" --- .../openbao-logging/sidecar-script-configmap.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml index 13cd909..15056d0 100644 --- a/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml @@ -10,5 +10,4 @@ data: while true; do echo -e "HTTP/1.1 200 OK\n\nSIGHUP sent to OpenBAO" | nc -l -p 8080 kill -SIGHUP $(pidof bao) || echo "OpenBAO process not found" - mkdir /tmp/pupa done From 949cf77c4e17e01a014cd7667e986a6641746b02 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 2 Apr 2025 14:53:08 +0200 Subject: [PATCH 076/153] sighup --- .../openbao-logging/sidecar-script-configmap.yaml | 2 +- template/stacks/ref-implementation/openbao/values.yaml | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml index 15056d0..92ac4f6 100644 --- a/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml @@ -9,5 +9,5 @@ data: echo "Starting sidecar listener on port 8080..." while true; do echo -e "HTTP/1.1 200 OK\n\nSIGHUP sent to OpenBAO" | nc -l -p 8080 - kill -SIGHUP $(pidof bao) || echo "OpenBAO process not found" + kill $(pidof bao) || echo "OpenBAO process not found" done diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 0afc278..c96317c 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -24,7 +24,7 @@ server: subPath: passwd - name: logrotate2 image: alpine:latest - command: ["/bin/sh", "-c", "sleep infinity"] + command: ["/bin/sh", "-c", "/tmp/sidecar.sh"] securityContext: runAsUser: 100 ports: @@ -74,7 +74,6 @@ server: echo $(grep "Unseal Key 5:" /tmp/init.txt | awk '{print $NF}')| cat > /openbao/data/unseal_key5.txt bao login $(grep "Initial Root Token:" /tmp/init.txt | awk '{print $NF}') rm /tmp/init.txt - # bao audit enable file file_path=stdout bao audit enable -path="file" file file_path=/openbao/logs/openbao/openbao.log ui: enabled: true From 6811280b92c4bcfabe5484a213c40f4fdd702ee6 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 2 Apr 2025 15:20:11 +0200 Subject: [PATCH 077/153] - name: sidecar-nginx image: nginx:latest ports: - containerPort: 8080 volumeMounts: - name: idecar-script mountPath: /etc/nginx subPath: nginx.conf subPathExpr: 'nginx.conf' - name: idecar-script mountPath: /tmp/sidecar.sh subPath: sidecar.sh mode: 0755 - name: passwd-volume mountPath: /etc/passwd subPath: passwd --- .../openbao-logging/logrotate-configmap.yaml | 2 +- .../sidecar-script-configmap.yaml | 24 ++++++++++++++----- .../ref-implementation/openbao/values.yaml | 18 +++++++++++++- 3 files changed, 36 insertions(+), 8 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml index 391afed..47c98ae 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml @@ -11,6 +11,6 @@ data: missingok notifempty postrotate - kill -SIGHUP $(pidof bao) + echo -e "POST / HTTP/1.1\r\nHost: sidecar-script-service.openbao.svc.cluster.local:8080\r\nContent-Length: 0\r\n\r\n" | nc sidecar-script-service.openbao.svc.cluster.local 8080 endscript } \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml index 92ac4f6..811add3 100644 --- a/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml @@ -5,9 +5,21 @@ metadata: namespace: openbao data: sidecar.sh: | - #!/bin/sh - echo "Starting sidecar listener on port 8080..." - while true; do - echo -e "HTTP/1.1 200 OK\n\nSIGHUP sent to OpenBAO" | nc -l -p 8080 - kill $(pidof bao) || echo "OpenBAO process not found" - done + #!/bin/bash + echo "Sending SIGHUP to OpenBAO..." + kill -SIGHUP $(pidof bao) || echo "OpenBAO process not found" + + nginx.conf: | + events {} + + http { + server { + listen 8080; + + location / { + exec /tmp/sidecar.sh; + default_type text/plain; + return 200 "SIGHUP sent to OpenBAO\n"; + } + } + } \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index c96317c..b4ada12 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -28,13 +28,29 @@ server: securityContext: runAsUser: 100 ports: - - containerPort: 8080 + - containerPort: 8081 volumeMounts: - name: passwd-volume mountPath: /etc/passwd subPath: passwd - name: sidecar-script mountPath: /tmp + - name: sidecar-nginx + image: nginx:latest + ports: + - containerPort: 8080 + volumeMounts: + - name: idecar-script + mountPath: /etc/nginx + subPath: nginx.conf + subPathExpr: 'nginx.conf' + - name: idecar-script + mountPath: /tmp/sidecar.sh + subPath: sidecar.sh + mode: 0755 + - name: passwd-volume + mountPath: /etc/passwd + subPath: passwd volumes: - name: logrotate-config-volume configMap: From dd9ddc8fdb88203bc7dc0186f6fc2a30cc171751 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 2 Apr 2025 15:26:04 +0200 Subject: [PATCH 078/153] sidecar-script --- template/stacks/ref-implementation/openbao/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index b4ada12..16154c8 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -40,11 +40,11 @@ server: ports: - containerPort: 8080 volumeMounts: - - name: idecar-script + - name: sidecar-script mountPath: /etc/nginx subPath: nginx.conf subPathExpr: 'nginx.conf' - - name: idecar-script + - name: sidecar-script mountPath: /tmp/sidecar.sh subPath: sidecar.sh mode: 0755 From 529182ee3d4e5c9e47309cd24b9005eb8952a9a8 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 2 Apr 2025 15:31:38 +0200 Subject: [PATCH 079/153] logrotate-cronjob --- .../openbao-logging/logrotate-cronjob.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml index 67b1bd9..9b51ba1 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml @@ -1,9 +1,8 @@ apiVersion: batch/v1 kind: CronJob metadata: - name: example-cronjob - namespace: openbao -spec: + name: logrotate-cronjob + spec: schedule: "*/2 * * * *" jobTemplate: spec: From 777d6afeb4e2c1f40ceeeecbb4962258b7d3c902 Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Fri, 11 Apr 2025 14:12:29 +0000 Subject: [PATCH 080/153] Update template/stacks/core/forgejo-runner/dind-docker.yaml --- .../core/forgejo-runner/dind-docker.yaml | 23 +++++++++---------- 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/template/stacks/core/forgejo-runner/dind-docker.yaml b/template/stacks/core/forgejo-runner/dind-docker.yaml index 3676503..2702b3e 100644 --- a/template/stacks/core/forgejo-runner/dind-docker.yaml +++ b/template/stacks/core/forgejo-runner/dind-docker.yaml @@ -29,18 +29,17 @@ spec: initContainers: - name: runner-register image: code.forgejo.org/forgejo/runner:6.3.1 - command: - - "forgejo-runner" - - "register" - - "--no-interactive" - - "--token" - - $(RUNNER_SECRET) - - "--name" - - $(RUNNER_NAME) - - "--instance" - - $(FORGEJO_INSTANCE_URL) - - "--labels" - - "docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04" + command: + - "sh" + - "-c" + - | + forgejo-runner \ + register \ + --no-interactive \ + --token ${RUNNER_SECRET} \ + --name ${RUNNER_NAME} \ + --instance ${FORGEJO_INSTANCE_URL} \ + --labels docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04 env: - name: RUNNER_NAME valueFrom: From c01d4952ad2474f25f810117d2515028fd91bc8c Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Sat, 12 Apr 2025 16:17:20 +0000 Subject: [PATCH 081/153] Disabled user self registration in Forgejo --- template/stacks/core/forgejo/values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index 0cb06cd..520bdf5 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -16,6 +16,8 @@ gitea: admin: existingSecret: gitea-credential config: + service: + DISABLE_REGISTRATION: true database: DB_TYPE: sqlite3 session: From 5d0182d6ee9791bac797ba224f7e4ed23265b0d6 Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Sat, 12 Apr 2025 16:27:05 +0000 Subject: [PATCH 082/153] Update template/stacks/core/forgejo/values.yaml --- template/stacks/core/forgejo/values.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index 520bdf5..90b01a6 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -18,6 +18,9 @@ gitea: config: service: DISABLE_REGISTRATION: true + other: + SHOW_FOOTER_VERSION: false + SHOW_FOOTER_TEMPLATE_LOAD_TIME: false database: DB_TYPE: sqlite3 session: From 3263113ebe3cd771b2243fbde1802c9c5f86ee9d Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Sat, 12 Apr 2025 18:49:15 +0000 Subject: [PATCH 083/153] Update template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml --- .../keycloak/manifests/keycloak-config.yaml | 117 ++++++++++++++---- 1 file changed, 94 insertions(+), 23 deletions(-) diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index c1d77a7..8418a5c 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -71,11 +71,11 @@ data: }, "type": "default", "protocol": "openid-connect" - } + } group-admin-payload.json: | - {"name":"admin"} + {"name":"admin"} group-base-user-payload.json: | - {"name":"base-user"} + {"name":"base-user"} group-mapper-payload.json: | { "protocol": "openid-connect", @@ -88,15 +88,15 @@ data: "access.token.claim": "true", "userinfo.token.claim": "true" } - } + } realm-payload.json: | - {"realm":"cnoe","enabled":true} + {"realm":"cnoe","enabled":true} user-password.json: | { "temporary": false, "type": "password", "value": "${USER1_PASSWORD}" - } + } user-user1.json: | { "username": "user1", @@ -109,7 +109,7 @@ data: "/admin" ], "enabled": true - } + } user-user2.json: | { "username": "user2", @@ -122,7 +122,7 @@ data: "/base-user" ], "enabled": true - } + } argo-client-payload.json: | { "protocol": "openid-connect", @@ -150,7 +150,7 @@ data: "webOrigins": [ "/*" ] - } + } backstage-client-payload.json: | { @@ -179,7 +179,7 @@ data: "webOrigins": [ "/*" ] - } + } grafana-client-payload.json: | { @@ -217,7 +217,45 @@ data: "groups", "email" ] - } + } + + argocd-client-payload.json: | + { + "protocol": "openid-connect", + "clientId": "argocd", + "name": "ArgoCD Client", + "description": "Used for ArgoCD SSO", + "publicClient": false, + "authorizationServicesEnabled": false, + "serviceAccountsEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "standardFlowEnabled": true, + "frontchannelLogout": true, + "attributes": { + "saml_idp_initiated_sso_url_name": "", + "oauth2.device.authorization.grant.enabled": false, + "oidc.ciba.grant.enabled": false + }, + "alwaysDisplayInConsole": false, + "rootUrl": "", + "baseUrl": "", + "redirectUris": [ + "https://{{{ .Env.DOMAIN }}}/*" + ], + "webOrigins": [ + "/*" + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "offline_access", + "roles", + "profile", + "groups", + "email" + ] + } --- apiVersion: batch/v1 @@ -254,7 +292,7 @@ spec: command: ["/bin/bash", "-c"] args: - | - #! /bin/bash + #! /bin/bash set -ex -o pipefail @@ -355,8 +393,8 @@ spec: echo "creating Argo Workflows client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/argo-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + -X POST --data @/var/config/argo-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -370,21 +408,26 @@ spec: -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') echo "creating Grafana client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X POST --data @/var/config/grafana-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "grafana") | .id') - CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -394,18 +437,45 @@ spec: curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X POST --data @/var/config/backstage-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "backstage") | .id') - CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + + echo "creating ArgoCD client" + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X POST --data @/var/config/argocd-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients + + CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "argocd") | .id') + + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + + ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}') @@ -426,7 +496,8 @@ spec: BACKSTAGE_CLIENT_ID: backstage GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET} GRAFANA_CLIENT_ID: grafana + ARGOCD_CLIENT_SECRET: ${ARGOCD_CLIENT_SECRET} + ARGOCD_CLIENT_ID: argocd " > /tmp/secret.yaml ./kubectl apply -f /tmp/secret.yaml - From 7a5e29e47d2a64309007fc79a600ef11f19d567d Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Sat, 12 Apr 2025 18:52:41 +0000 Subject: [PATCH 084/153] Update template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml --- .../keycloak/manifests/keycloak-config.yaml | 105 ++++++++---------- 1 file changed, 45 insertions(+), 60 deletions(-) diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index 8418a5c..c30cee6 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -181,6 +181,34 @@ data: ] } + forgejo-client-payload.json: | + { + "protocol": "openid-connect", + "clientId": "forgejo", + "name": "Forgejo Client", + "description": "Used for Forgejo SSO", + "publicClient": false, + "authorizationServicesEnabled": false, + "serviceAccountsEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "standardFlowEnabled": true, + "frontchannelLogout": true, + "attributes": { + "saml_idp_initiated_sso_url_name": "", + "oauth2.device.authorization.grant.enabled": false, + "oidc.ciba.grant.enabled": false + }, + "alwaysDisplayInConsole": false, + "rootUrl": "https://{{{ .Env.DOMAIN_GITEA }}}:443", + "baseUrl": "", + "redirectUris": [ + "https://{{{ .Env.DOMAIN_GITEA }}}/*" + ], + "webOrigins": [ + "/*" + ] + grafana-client-payload.json: | { "clientId": "grafana", @@ -219,44 +247,6 @@ data: ] } - argocd-client-payload.json: | - { - "protocol": "openid-connect", - "clientId": "argocd", - "name": "ArgoCD Client", - "description": "Used for ArgoCD SSO", - "publicClient": false, - "authorizationServicesEnabled": false, - "serviceAccountsEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "standardFlowEnabled": true, - "frontchannelLogout": true, - "attributes": { - "saml_idp_initiated_sso_url_name": "", - "oauth2.device.authorization.grant.enabled": false, - "oidc.ciba.grant.enabled": false - }, - "alwaysDisplayInConsole": false, - "rootUrl": "", - "baseUrl": "", - "redirectUris": [ - "https://{{{ .Env.DOMAIN }}}/*" - ], - "webOrigins": [ - "/*" - ], - "defaultClientScopes": [ - "web-origins", - "acr", - "offline_access", - "roles", - "profile", - "groups", - "email" - ] - } - --- apiVersion: batch/v1 kind: Job @@ -393,8 +383,8 @@ spec: echo "creating Argo Workflows client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/argo-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + -X POST --data @/var/config/argo-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -408,26 +398,21 @@ spec: -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') echo "creating Grafana client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X POST --data @/var/config/grafana-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "grafana") | .id') - CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - - curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -437,7 +422,7 @@ spec: curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X POST --data @/var/config/backstage-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -455,15 +440,15 @@ spec: -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') - echo "creating ArgoCD client" + echo "creating Forgejo client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/argocd-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + -X POST --data @/var/config/forgejo-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "argocd") | .id') + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "forgejo") | .id') CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -473,9 +458,9 @@ spec: -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} - ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}') @@ -494,10 +479,10 @@ spec: ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN} BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET} BACKSTAGE_CLIENT_ID: backstage + FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET} + FORGEJO_CLIENT_ID: forgejo GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET} GRAFANA_CLIENT_ID: grafana - ARGOCD_CLIENT_SECRET: ${ARGOCD_CLIENT_SECRET} - ARGOCD_CLIENT_ID: argocd " > /tmp/secret.yaml ./kubectl apply -f /tmp/secret.yaml From 2532958de87404df337c29f9b628b036389412e7 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sat, 12 Apr 2025 21:05:35 +0200 Subject: [PATCH 085/153] Added Forgejo to Keycloak config --- .../keycloak/manifests/keycloak-config.yaml | 149 ++++++++++++------ 1 file changed, 104 insertions(+), 45 deletions(-) diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index c30cee6..6416367 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -181,34 +181,6 @@ data: ] } - forgejo-client-payload.json: | - { - "protocol": "openid-connect", - "clientId": "forgejo", - "name": "Forgejo Client", - "description": "Used for Forgejo SSO", - "publicClient": false, - "authorizationServicesEnabled": false, - "serviceAccountsEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "standardFlowEnabled": true, - "frontchannelLogout": true, - "attributes": { - "saml_idp_initiated_sso_url_name": "", - "oauth2.device.authorization.grant.enabled": false, - "oidc.ciba.grant.enabled": false - }, - "alwaysDisplayInConsole": false, - "rootUrl": "https://{{{ .Env.DOMAIN_GITEA }}}:443", - "baseUrl": "", - "redirectUris": [ - "https://{{{ .Env.DOMAIN_GITEA }}}/*" - ], - "webOrigins": [ - "/*" - ] - grafana-client-payload.json: | { "clientId": "grafana", @@ -245,7 +217,65 @@ data: "groups", "email" ] - } + } + + argocd-client-payload.json: | + { + "protocol": "openid-connect", + "clientId": "argocd", + "name": "ArgoCD Client", + "description": "Used for ArgoCD SSO", + "publicClient": false, + "authorizationServicesEnabled": false, + "serviceAccountsEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "standardFlowEnabled": true, + "frontchannelLogout": true, + "attributes": { + "saml_idp_initiated_sso_url_name": "", + "oauth2.device.authorization.grant.enabled": false, + "oidc.ciba.grant.enabled": false + }, + "alwaysDisplayInConsole": false, + "rootUrl": "", + "baseUrl": "", + "redirectUris": [ + "https://{{{ .Env.DOMAIN }}}/*" + ], + "webOrigins": [ + "/*" + ] + } + + forgejo-client-payload.json: | + { + "protocol": "openid-connect", + "clientId": "forgejo", + "name": "Forgejo Client", + "description": "Used for Forgejo SSO", + "publicClient": false, + "authorizationServicesEnabled": false, + "serviceAccountsEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "standardFlowEnabled": true, + "frontchannelLogout": true, + "attributes": { + "saml_idp_initiated_sso_url_name": "", + "oauth2.device.authorization.grant.enabled": false, + "oidc.ciba.grant.enabled": false + }, + "alwaysDisplayInConsole": false, + "rootUrl": "", + "baseUrl": "", + "redirectUris": [ + "https://{{{ .Env.DOMAIN }}}/*" + ], + "webOrigins": [ + "/*" + ] + } --- apiVersion: batch/v1 @@ -343,7 +373,7 @@ spec: ${KEYCLOAK_URL}/admin/realms/cnoe/groups # Create scope mapper - echo 'adding group claim to tokens' + echo 'adding group claim to tokens' CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') curl -sS -H "Content-Type: application/json" \ @@ -383,8 +413,8 @@ spec: echo "creating Argo Workflows client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/argo-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + -X POST --data @/var/config/argo-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -398,21 +428,26 @@ spec: -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') echo "creating Grafana client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X POST --data @/var/config/grafana-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "grafana") | .id') - CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -422,7 +457,7 @@ spec: curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X POST --data @/var/config/backstage-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -440,11 +475,33 @@ spec: -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + echo "creating ArgoCD client" + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X POST --data @/var/config/argocd-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients + + CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "argocd") | .id') + + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + + ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + echo "creating Forgejo client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/forgejo-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients + -X POST --data @/var/config/forgejo-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -459,9 +516,9 @@ spec: -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') - + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}') ARGOCD_SESSION_TOKEN=$(curl -sS https://{{{ .Env.DOMAIN }}}/argocd/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token) @@ -479,10 +536,12 @@ spec: ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN} BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET} BACKSTAGE_CLIENT_ID: backstage - FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET} - FORGEJO_CLIENT_ID: forgejo GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET} GRAFANA_CLIENT_ID: grafana + ARGOCD_CLIENT_SECRET: ${ARGOCD_CLIENT_SECRET} + ARGOCD_CLIENT_ID: argocd + FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET} + FORGEJO_CLIENT_ID: forgejo " > /tmp/secret.yaml ./kubectl apply -f /tmp/secret.yaml From 55a1eaa6f6479b9775cb9787cf26398927d47a50 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sat, 12 Apr 2025 21:07:43 +0200 Subject: [PATCH 086/153] Added Forgejo to Keycloak config --- .../ref-implementation/keycloak/manifests/keycloak-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index 6416367..e325ff0 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -270,7 +270,7 @@ data: "rootUrl": "", "baseUrl": "", "redirectUris": [ - "https://{{{ .Env.DOMAIN }}}/*" + "https://{{{ .Env.DOMAIN_GITEA }}}/*" ], "webOrigins": [ "/*" From 33def8aba5c018c8c4f1846cdfc6aad790bf48bf Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sat, 12 Apr 2025 21:31:05 +0200 Subject: [PATCH 087/153] Added keycloak client externalsecret for Forgejo and ArgoCD --- template/stacks/core/argocd-sso.yaml | 29 +++++++++++++++++++ .../stacks/core/argocd-sso/argocd-secret.yaml | 21 ++++++++++++++ template/stacks/core/forgejo-sso.yaml | 29 +++++++++++++++++++ .../core/forgejo-sso/secret-forgejo.yaml | 21 ++++++++++++++ 4 files changed, 100 insertions(+) create mode 100644 template/stacks/core/argocd-sso.yaml create mode 100644 template/stacks/core/argocd-sso/argocd-secret.yaml create mode 100644 template/stacks/core/forgejo-sso.yaml create mode 100644 template/stacks/core/forgejo-sso/secret-forgejo.yaml diff --git a/template/stacks/core/argocd-sso.yaml b/template/stacks/core/argocd-sso.yaml new file mode 100644 index 0000000..7ae15bc --- /dev/null +++ b/template/stacks/core/argocd-sso.yaml @@ -0,0 +1,29 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: argocd-sso + namespace: argocd + labels: + env: dev + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder + targetRevision: HEAD + path: "stacks/core/argocd-sso" + destination: + server: "https://kubernetes.default.svc" + namespace: argocd + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + selfHeal: true + retry: + limit: -1 + backoff: + duration: 15s + factor: 1 + maxDuration: 15s \ No newline at end of file diff --git a/template/stacks/core/argocd-sso/argocd-secret.yaml b/template/stacks/core/argocd-sso/argocd-secret.yaml new file mode 100644 index 0000000..0ca7b1c --- /dev/null +++ b/template/stacks/core/argocd-sso/argocd-secret.yaml @@ -0,0 +1,21 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: auth-generic-oauth-secret + namespace: argocd +spec: + secretStoreRef: + name: keycloak + kind: ClusterSecretStore + refreshInterval: "0" + target: + name: auth-generic-oauth-secret + template: + engineVersion: v2 + data: + client_secret: "{{.ARGOCD_CLIENT_SECRET}}" + data: + - secretKey: ARGOCD_CLIENT_SECRET + remoteRef: + key: keycloak-clients + property: ARGOCD_CLIENT_SECRET \ No newline at end of file diff --git a/template/stacks/core/forgejo-sso.yaml b/template/stacks/core/forgejo-sso.yaml new file mode 100644 index 0000000..6402b41 --- /dev/null +++ b/template/stacks/core/forgejo-sso.yaml @@ -0,0 +1,29 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: forgejo-sso + namespace: argocd + labels: + env: dev + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder + targetRevision: HEAD + path: "stacks/core/forgejo-sso" + destination: + server: "https://kubernetes.default.svc" + namespace: gitea + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + selfHeal: true + retry: + limit: -1 + backoff: + duration: 15s + factor: 1 + maxDuration: 15s \ No newline at end of file diff --git a/template/stacks/core/forgejo-sso/secret-forgejo.yaml b/template/stacks/core/forgejo-sso/secret-forgejo.yaml new file mode 100644 index 0000000..09318c3 --- /dev/null +++ b/template/stacks/core/forgejo-sso/secret-forgejo.yaml @@ -0,0 +1,21 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: auth-generic-oauth-secret + namespace: gitea +spec: + secretStoreRef: + name: keycloak + kind: ClusterSecretStore + refreshInterval: "0" + target: + name: auth-generic-oauth-secret + template: + engineVersion: v2 + data: + client_secret: "{{.FORGEJO_CLIENT_SECRET}}" + data: + - secretKey: FORGEJO_CLIENT_SECRET + remoteRef: + key: keycloak-clients + property: FORGEJO_CLIENT_SECRET \ No newline at end of file From ead21d078a041ec99f0b179551c7881a43415b2d Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Sat, 12 Apr 2025 20:42:55 +0000 Subject: [PATCH 088/153] Update template/stacks/core/argocd-sso/argocd-secret.yaml --- template/stacks/core/argocd-sso/argocd-secret.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/template/stacks/core/argocd-sso/argocd-secret.yaml b/template/stacks/core/argocd-sso/argocd-secret.yaml index 0ca7b1c..105bdf4 100644 --- a/template/stacks/core/argocd-sso/argocd-secret.yaml +++ b/template/stacks/core/argocd-sso/argocd-secret.yaml @@ -14,6 +14,9 @@ spec: engineVersion: v2 data: client_secret: "{{.ARGOCD_CLIENT_SECRET}}" + metadata: + labels: + app.kubernetes.io/part-of: argocd data: - secretKey: ARGOCD_CLIENT_SECRET remoteRef: From 1a8c2846bceec24ce6cfcd5ec6acc876f4ba2eaf Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Sat, 12 Apr 2025 21:21:16 +0000 Subject: [PATCH 089/153] Update template/stacks/core/forgejo-sso/secret-forgejo.yaml --- template/stacks/core/forgejo-sso/secret-forgejo.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/template/stacks/core/forgejo-sso/secret-forgejo.yaml b/template/stacks/core/forgejo-sso/secret-forgejo.yaml index 09318c3..d449c24 100644 --- a/template/stacks/core/forgejo-sso/secret-forgejo.yaml +++ b/template/stacks/core/forgejo-sso/secret-forgejo.yaml @@ -13,9 +13,14 @@ spec: template: engineVersion: v2 data: - client_secret: "{{.FORGEJO_CLIENT_SECRET}}" + key: "{{.FORGEJO_CLIENT_ID}}" + secret: "{{.FORGEJO_CLIENT_SECRET}}" data: + - secretKey: FORGEJO_CLIENT_ID + remoteRef: + key: keycloak-clients + property: FORGEJO_CLIENT_ID - secretKey: FORGEJO_CLIENT_SECRET remoteRef: key: keycloak-clients - property: FORGEJO_CLIENT_SECRET \ No newline at end of file + property: FORGEJO_CLIENT_SECRET From 620f7a3fd92c02f260eae6aa5b86822a982c93a4 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Mon, 14 Apr 2025 13:30:50 +0200 Subject: [PATCH 090/153] adds a kubernetes job that configures Forgejo --- .../core/forgejo-sso/forgejo-sso-config.yaml | 71 +++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 template/stacks/core/forgejo-sso/forgejo-sso-config.yaml diff --git a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml new file mode 100644 index 0000000..5d877e4 --- /dev/null +++ b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml @@ -0,0 +1,71 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: forgejo-config + namespace: gitea +# annotations: +# argocd.argoproj.io/hook: PostSync +spec: + template: + metadata: + generateName: forgejo-config- + spec: + # serviceAccountName: forgejo-config + restartPolicy: Never + containers: + - name: push + image: docker.io/library/ubuntu:22.04 + command: ["/bin/bash", "-c"] + args: + - | + #! /bin/bash + + apt -qq update + apt -qq install git wget -y + if [[ "$(uname -m)" == "x86_64" ]]; then + wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64 + install yq_linux_amd64 /usr/local/bin/yq + rm yq_linux_amd64 + else + wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64 + install yq_linux_arm64 /usr/local/bin/yq + rm yq_linux_arm64 + fi + + DOMAIN=192-168-197-2.c-one-infra.de + GIT_USERNAME=bot + GIT_PASSWORD=ca78ba327f61588a564907638920d163936863c9 + + git config --global user.email "bot@bots.de" + git config --global user.name "bot" + + git clone https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea-${DOMAIN}/giteaAdmin/edfbuilder.git + cd edfbuilder + yq eval ".gitea.oauth = [ + { + \"name\": \"Keycloak\", + \"provider\": \"openidConnect\", + \"existingSecret\": \"auth-generic-oauth-secret\", + \"autoDiscoverUrl\": \"https://${DOMAIN}/keycloak/realms/cnoe/.well-known/openid-configuration\" + } + ] | + (.gitea.oauth[] | .name) |= (. style=\"single\") + | + (.gitea.oauth[] | .provider) |= (. style=\"single\") + | + (.gitea.oauth[] | .existingSecret) |= (. style=\"single\") + | + (.gitea.oauth[] | .autoDiscoverUrl) |= (. style=\"single\") + " -i stacks/core/forgejo/values.yaml + + yq eval '.gitea.config.oauth2_client = + { + "ENABLE_AUTO_REGISTRATION" : true, + "ACCOUNT_LINKING" : "auto" + } + ' -i stacks/core/forgejo/values.yaml + + git add stacks/core/forgejo/values.yaml + git commit -m "adds Forgejo SSO config" + git push \ No newline at end of file From b533f7adf3d58b37bf578d7c73d144f768719621 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Mon, 14 Apr 2025 16:39:37 +0200 Subject: [PATCH 091/153] adds a kubernetes job that configures ArgoCD --- .../core/argocd-sso/argocd-sso-config.yaml | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 template/stacks/core/argocd-sso/argocd-sso-config.yaml diff --git a/template/stacks/core/argocd-sso/argocd-sso-config.yaml b/template/stacks/core/argocd-sso/argocd-sso-config.yaml new file mode 100644 index 0000000..5ecfcd8 --- /dev/null +++ b/template/stacks/core/argocd-sso/argocd-sso-config.yaml @@ -0,0 +1,68 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: argocd-config + namespace: argocd +# annotations: +# argocd.argoproj.io/hook: PostSync +spec: + template: + metadata: + generateName: argocd-config- + spec: + # serviceAccountName: argocd-config + restartPolicy: OnFailure + containers: + - name: push + image: docker.io/library/ubuntu:22.04 + envFrom: + - secretRef: + name: auth-generic-oauth-secret # thats the external secret the job should wait for + - secretRef: + name: k8s-job-token # edpbuilder should create this automatically and feed it to this job + command: ["/bin/bash", "-c"] + args: + - | + #! /bin/bash + + if [[ "$client_secret" == "" ]]; + then + exit 1 + fi + + apt -qq update + apt -qq install git wget -y + if [[ "$(uname -m)" == "x86_64" ]]; then + wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64 + install yq_linux_amd64 /usr/local/bin/yq + rm yq_linux_amd64 + else + wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64 + install yq_linux_arm64 /usr/local/bin/yq + rm yq_linux_arm64 + fi + + DOMAIN=192-168-197-2.c-one-infra.de + GIT_USERNAME=giteaAdmin + GIT_PASSWORD=2e53bfe27b64a5aa4e8bc591e15b33cc92ff95fa + + git config --global user.email "bot@bots.de" + git config --global user.name "bot" + + git clone https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea-${DOMAIN}/giteaAdmin/edfbuilder.git + cd edfbuilder + yq eval '.configs.cm.oidc.config = + { + "name": "Keycloak", + "issuer": "https://${DOMAIN}/keycloak/realms/cnoe/.well-known/openid-configuration", + "clientID": "argocd", + "clientSecret": "$auth-generic-oauth-secret:client_secret", + "requestedScopes": ["openid", "profile", "email", "groups"] + } + ' -i stacks/core/argocd/values.yaml + + git add stacks/core/argocd/values.yaml + git commit -m "adds Forgejo SSO config" + git push + backoffLimit: 99 \ No newline at end of file From d90402b74a202718bbde2cef8d580fff1bde2145 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Mon, 14 Apr 2025 16:56:45 +0200 Subject: [PATCH 092/153] renaming --- .../core/forgejo-sso/{secret-forgejo.yaml => forgejo-secret.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename template/stacks/core/forgejo-sso/{secret-forgejo.yaml => forgejo-secret.yaml} (100%) diff --git a/template/stacks/core/forgejo-sso/secret-forgejo.yaml b/template/stacks/core/forgejo-sso/forgejo-secret.yaml similarity index 100% rename from template/stacks/core/forgejo-sso/secret-forgejo.yaml rename to template/stacks/core/forgejo-sso/forgejo-secret.yaml From 701771ad13426ecbbdb3ad15a403fd3f9914f1d0 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Mon, 14 Apr 2025 17:42:27 +0200 Subject: [PATCH 093/153] adds secretRefs to the jobs --- .../core/argocd-sso/argocd-sso-config.yaml | 10 +------- .../core/forgejo-sso/forgejo-sso-config.yaml | 23 ++++++++++++++----- 2 files changed, 18 insertions(+), 15 deletions(-) diff --git a/template/stacks/core/argocd-sso/argocd-sso-config.yaml b/template/stacks/core/argocd-sso/argocd-sso-config.yaml index 5ecfcd8..7553279 100644 --- a/template/stacks/core/argocd-sso/argocd-sso-config.yaml +++ b/template/stacks/core/argocd-sso/argocd-sso-config.yaml @@ -52,15 +52,7 @@ spec: git clone https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea-${DOMAIN}/giteaAdmin/edfbuilder.git cd edfbuilder - yq eval '.configs.cm.oidc.config = - { - "name": "Keycloak", - "issuer": "https://${DOMAIN}/keycloak/realms/cnoe/.well-known/openid-configuration", - "clientID": "argocd", - "clientSecret": "$auth-generic-oauth-secret:client_secret", - "requestedScopes": ["openid", "profile", "email", "groups"] - } - ' -i stacks/core/argocd/values.yaml + yq eval '.configs.cm."oidc.config" = "name: Keycloak\nissuer: https://192-168-197-2.c-one-infra.de/keycloak/realms/cnoe\nclientID: argocd\nclientSecret: $auth-generic-oauth-secret:client_secret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"' -i stacks/core/argocd/values.yaml git add stacks/core/argocd/values.yaml git commit -m "adds Forgejo SSO config" diff --git a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml index 5d877e4..228ee6f 100644 --- a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml +++ b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml @@ -11,16 +11,26 @@ spec: metadata: generateName: forgejo-config- spec: - # serviceAccountName: forgejo-config - restartPolicy: Never + # serviceAccountName: bot + restartPolicy: OnFailure containers: - name: push image: docker.io/library/ubuntu:22.04 + envFrom: + - secretRef: + name: auth-generic-oauth-secret # thats the external secret the job should wait for + - secretRef: + name: k8s-job-token # edpbuilder should create this automatically and feed it to this job command: ["/bin/bash", "-c"] args: - | #! /bin/bash + if [[ "$client_secret" == "" ]]; + then + exit 1 + fi + apt -qq update apt -qq install git wget -y if [[ "$(uname -m)" == "x86_64" ]]; then @@ -34,11 +44,11 @@ spec: fi DOMAIN=192-168-197-2.c-one-infra.de - GIT_USERNAME=bot - GIT_PASSWORD=ca78ba327f61588a564907638920d163936863c9 + GIT_USERNAME=giteaAdmin + GIT_PASSWORD=2e53bfe27b64a5aa4e8bc591e15b33cc92ff95fa git config --global user.email "bot@bots.de" - git config --global user.name "bot" + git config --global user.name "giteaAdmin" git clone https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea-${DOMAIN}/giteaAdmin/edfbuilder.git cd edfbuilder @@ -68,4 +78,5 @@ spec: git add stacks/core/forgejo/values.yaml git commit -m "adds Forgejo SSO config" - git push \ No newline at end of file + git push + backoffLimit: 99 \ No newline at end of file From 5165583b9a7fd75d923fb7c2f411007b77751fc8 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Wed, 16 Apr 2025 14:53:10 +0200 Subject: [PATCH 094/153] testing --- .../core/argocd-sso/argocd-sso-config.yaml | 27 ++++++++++--------- .../core/forgejo-sso/forgejo-sso-config.yaml | 6 ++--- 2 files changed, 17 insertions(+), 16 deletions(-) diff --git a/template/stacks/core/argocd-sso/argocd-sso-config.yaml b/template/stacks/core/argocd-sso/argocd-sso-config.yaml index 7553279..8461b3c 100644 --- a/template/stacks/core/argocd-sso/argocd-sso-config.yaml +++ b/template/stacks/core/argocd-sso/argocd-sso-config.yaml @@ -16,21 +16,22 @@ spec: containers: - name: push image: docker.io/library/ubuntu:22.04 - envFrom: - - secretRef: - name: auth-generic-oauth-secret # thats the external secret the job should wait for - - secretRef: - name: k8s-job-token # edpbuilder should create this automatically and feed it to this job + env: + - name: ARGOCD_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: auth-generic-oauth-secret + key: client_secret + # envFrom: + # - secretRef: + # name: auth-generic-oauth-secret # thats the external secret the job should wait for + # - secretRef: + # name: k8s-job-token # edpbuilder should create this automatically and feed it to this job command: ["/bin/bash", "-c"] args: - | #! /bin/bash - if [[ "$client_secret" == "" ]]; - then - exit 1 - fi - apt -qq update apt -qq install git wget -y if [[ "$(uname -m)" == "x86_64" ]]; then @@ -45,14 +46,14 @@ spec: DOMAIN=192-168-197-2.c-one-infra.de GIT_USERNAME=giteaAdmin - GIT_PASSWORD=2e53bfe27b64a5aa4e8bc591e15b33cc92ff95fa + GIT_PASSWORD=a618f97ca89714d894d5bfc7ac47d0b76a7ec35a git config --global user.email "bot@bots.de" git config --global user.name "bot" - git clone https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea-${DOMAIN}/giteaAdmin/edfbuilder.git + git clone https://${GIT_USERNAME}:${GIT_PASSWORD}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git cd edfbuilder - yq eval '.configs.cm."oidc.config" = "name: Keycloak\nissuer: https://192-168-197-2.c-one-infra.de/keycloak/realms/cnoe\nclientID: argocd\nclientSecret: $auth-generic-oauth-secret:client_secret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"' -i stacks/core/argocd/values.yaml + yq eval '.configs.cm."oidc.config" = "name: Keycloak\nissuer: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe\nclientID: argocd\nclientSecret: $auth-generic-oauth-secret:client_secret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"' -i stacks/core/argocd/values.yaml git add stacks/core/argocd/values.yaml git commit -m "adds Forgejo SSO config" diff --git a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml index 228ee6f..cffcefa 100644 --- a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml +++ b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml @@ -45,19 +45,19 @@ spec: DOMAIN=192-168-197-2.c-one-infra.de GIT_USERNAME=giteaAdmin - GIT_PASSWORD=2e53bfe27b64a5aa4e8bc591e15b33cc92ff95fa + GIT_PASSWORD=a618f97ca89714d894d5bfc7ac47d0b76a7ec35a git config --global user.email "bot@bots.de" git config --global user.name "giteaAdmin" - git clone https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea-${DOMAIN}/giteaAdmin/edfbuilder.git + git clone https://${GIT_USERNAME}:${GIT_PASSWORD}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git cd edfbuilder yq eval ".gitea.oauth = [ { \"name\": \"Keycloak\", \"provider\": \"openidConnect\", \"existingSecret\": \"auth-generic-oauth-secret\", - \"autoDiscoverUrl\": \"https://${DOMAIN}/keycloak/realms/cnoe/.well-known/openid-configuration\" + \"autoDiscoverUrl\": \"https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration\" } ] | (.gitea.oauth[] | .name) |= (. style=\"single\") From 42d65e95be53711fbd58c1374a33166bd14447b2 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Wed, 16 Apr 2025 14:59:25 +0200 Subject: [PATCH 095/153] testing --- .../stacks/core/forgejo-sso/forgejo-sso-config.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml index cffcefa..1e2c139 100644 --- a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml +++ b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml @@ -16,11 +16,11 @@ spec: containers: - name: push image: docker.io/library/ubuntu:22.04 - envFrom: - - secretRef: - name: auth-generic-oauth-secret # thats the external secret the job should wait for - - secretRef: - name: k8s-job-token # edpbuilder should create this automatically and feed it to this job + # envFrom: + # - secretRef: + # name: auth-generic-oauth-secret # thats the external secret the job should wait for + # - secretRef: + # name: k8s-job-token # edpbuilder should create this automatically and feed it to this job command: ["/bin/bash", "-c"] args: - | From 11d9ad5fcc026b1e79783a7c50d02a58f88214d7 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Wed, 16 Apr 2025 15:24:28 +0200 Subject: [PATCH 096/153] testing --- .../stacks/core/argocd-sso/argocd-sso-config.yaml | 4 ++-- .../stacks/core/forgejo-sso/forgejo-sso-config.yaml | 12 ++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/template/stacks/core/argocd-sso/argocd-sso-config.yaml b/template/stacks/core/argocd-sso/argocd-sso-config.yaml index 8461b3c..a374afb 100644 --- a/template/stacks/core/argocd-sso/argocd-sso-config.yaml +++ b/template/stacks/core/argocd-sso/argocd-sso-config.yaml @@ -51,9 +51,9 @@ spec: git config --global user.email "bot@bots.de" git config --global user.name "bot" - git clone https://${GIT_USERNAME}:${GIT_PASSWORD}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git + git clone https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea-${DOMAIN}/giteaAdmin/edfbuilder.git cd edfbuilder - yq eval '.configs.cm."oidc.config" = "name: Keycloak\nissuer: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe\nclientID: argocd\nclientSecret: $auth-generic-oauth-secret:client_secret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"' -i stacks/core/argocd/values.yaml + yq eval '.configs.cm."oidc.config" = "name: Keycloak\nissuer: https://${DOMAIN}/keycloak/realms/cnoe\nclientID: argocd\nclientSecret: $auth-generic-oauth-secret:client_secret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"' -i stacks/core/argocd/values.yaml git add stacks/core/argocd/values.yaml git commit -m "adds Forgejo SSO config" diff --git a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml index 1e2c139..3d51b86 100644 --- a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml +++ b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml @@ -26,10 +26,10 @@ spec: - | #! /bin/bash - if [[ "$client_secret" == "" ]]; - then - exit 1 - fi + # if [[ "$client_secret" == "" ]]; + # then + # exit 1 + # fi apt -qq update apt -qq install git wget -y @@ -50,14 +50,14 @@ spec: git config --global user.email "bot@bots.de" git config --global user.name "giteaAdmin" - git clone https://${GIT_USERNAME}:${GIT_PASSWORD}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git + git clone https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea-${DOMAIN}/giteaAdmin/edfbuilder.git cd edfbuilder yq eval ".gitea.oauth = [ { \"name\": \"Keycloak\", \"provider\": \"openidConnect\", \"existingSecret\": \"auth-generic-oauth-secret\", - \"autoDiscoverUrl\": \"https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration\" + \"autoDiscoverUrl\": \"https://${DOMAIN}/keycloak/realms/cnoe/.well-known/openid-configuration\" } ] | (.gitea.oauth[] | .name) |= (. style=\"single\") From cce8c51b75a4fd4ca7bc4b4bab7eceecd94c7e57 Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Thu, 17 Apr 2025 10:54:47 +0000 Subject: [PATCH 097/153] Add template/stacks/core/argocd-sso/argocd-forgejo-access-token.yaml --- .../argocd-forgejo-access-token.yaml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 template/stacks/core/argocd-sso/argocd-forgejo-access-token.yaml diff --git a/template/stacks/core/argocd-sso/argocd-forgejo-access-token.yaml b/template/stacks/core/argocd-sso/argocd-forgejo-access-token.yaml new file mode 100644 index 0000000..8003a1f --- /dev/null +++ b/template/stacks/core/argocd-sso/argocd-forgejo-access-token.yaml @@ -0,0 +1,29 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: forgejo-access-token + namespace: argocd +spec: + secretStoreRef: + name: gitea + kind: ClusterSecretStore + refreshInterval: "0" + target: + name: forgejo-access-token + template: + engineVersion: v2 + data: + forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}" + forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}" + metadata: + labels: + app.kubernetes.io/part-of: argocd + data: + - secretKey: FORGEJO_ACCESS_USERNAME + remoteRef: + key: forgejo-access-token + property: username + - secretKey: FORGEJO_ACCESS_TOKEN + remoteRef: + key: forgejo-access-token + property: token From 74523447ae7b7b8077546ac2bb6f508b1cd4dd5c Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Thu, 17 Apr 2025 12:56:58 +0200 Subject: [PATCH 098/153] adds the correct secrets --- .../core/argocd-sso/argocd-sso-config.yaml | 14 +++++++++++-- .../core/forgejo-sso/forgejo-sso-config.yaml | 20 +++++++++++++++++-- 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/template/stacks/core/argocd-sso/argocd-sso-config.yaml b/template/stacks/core/argocd-sso/argocd-sso-config.yaml index a374afb..2770527 100644 --- a/template/stacks/core/argocd-sso/argocd-sso-config.yaml +++ b/template/stacks/core/argocd-sso/argocd-sso-config.yaml @@ -22,6 +22,16 @@ spec: secretKeyRef: name: auth-generic-oauth-secret key: client_secret + - name: FORGEJO_USER + valueFrom: + secretKeyRef: + name: forgejo-access-token + key: forgejo_username + - name: FORGEJO_TOKEN + valueFrom: + secretKeyRef: + name: forgejo-access-token + key: forgejo_token # envFrom: # - secretRef: # name: auth-generic-oauth-secret # thats the external secret the job should wait for @@ -46,14 +56,14 @@ spec: DOMAIN=192-168-197-2.c-one-infra.de GIT_USERNAME=giteaAdmin - GIT_PASSWORD=a618f97ca89714d894d5bfc7ac47d0b76a7ec35a + GIT_PASSWORD=2d3a114ddfb6059929cc6d97451201e361a524f3 git config --global user.email "bot@bots.de" git config --global user.name "bot" git clone https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea-${DOMAIN}/giteaAdmin/edfbuilder.git cd edfbuilder - yq eval '.configs.cm."oidc.config" = "name: Keycloak\nissuer: https://${DOMAIN}/keycloak/realms/cnoe\nclientID: argocd\nclientSecret: $auth-generic-oauth-secret:client_secret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"' -i stacks/core/argocd/values.yaml + yq eval '.configs.cm."oidc.config" = "name: Keycloak\nissuer: https://192-168-197-2.c-one-infra.de/keycloak/realms/cnoe\nclientID: argocd\nclientSecret: $auth-generic-oauth-secret:client_secret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"' -i stacks/core/argocd/values.yaml git add stacks/core/argocd/values.yaml git commit -m "adds Forgejo SSO config" diff --git a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml index 3d51b86..cc7e82a 100644 --- a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml +++ b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml @@ -16,6 +16,22 @@ spec: containers: - name: push image: docker.io/library/ubuntu:22.04 + env: + - name: FORGEJO_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: auth-generic-oauth-secret + key: client_secret + - name: FORGEJO_USER + valueFrom: + secretKeyRef: + name: forgejo-access-token + key: forgejo_username + - name: FORGEJO_TOKEN + valueFrom: + secretKeyRef: + name: forgejo-access-token + key: forgejo_token # envFrom: # - secretRef: # name: auth-generic-oauth-secret # thats the external secret the job should wait for @@ -45,7 +61,7 @@ spec: DOMAIN=192-168-197-2.c-one-infra.de GIT_USERNAME=giteaAdmin - GIT_PASSWORD=a618f97ca89714d894d5bfc7ac47d0b76a7ec35a + GIT_PASSWORD=2d3a114ddfb6059929cc6d97451201e361a524f3 git config --global user.email "bot@bots.de" git config --global user.name "giteaAdmin" @@ -57,7 +73,7 @@ spec: \"name\": \"Keycloak\", \"provider\": \"openidConnect\", \"existingSecret\": \"auth-generic-oauth-secret\", - \"autoDiscoverUrl\": \"https://${DOMAIN}/keycloak/realms/cnoe/.well-known/openid-configuration\" + \"autoDiscoverUrl\": \"https://192-168-197-2.c-one-infra.de/keycloak/realms/cnoe/.well-known/openid-configuration\" } ] | (.gitea.oauth[] | .name) |= (. style=\"single\") From 0e26cc9a3f1bbe46fbf670006aaf750cd0ae690a Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Thu, 17 Apr 2025 13:09:43 +0200 Subject: [PATCH 099/153] adds forgejo-access-token external secret for gitea namespace --- .../forgejo-sso/forgejo-access-token.yaml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 template/stacks/core/forgejo-sso/forgejo-access-token.yaml diff --git a/template/stacks/core/forgejo-sso/forgejo-access-token.yaml b/template/stacks/core/forgejo-sso/forgejo-access-token.yaml new file mode 100644 index 0000000..c5e56d3 --- /dev/null +++ b/template/stacks/core/forgejo-sso/forgejo-access-token.yaml @@ -0,0 +1,29 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: forgejo-access-token + namespace: gitea +spec: + secretStoreRef: + name: gitea + kind: ClusterSecretStore + refreshInterval: "0" + target: + name: forgejo-access-token + template: + engineVersion: v2 + data: + forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}" + forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}" + metadata: + labels: + app.kubernetes.io/part-of: argocd + data: + - secretKey: FORGEJO_ACCESS_USERNAME + remoteRef: + key: forgejo-access-token + property: username + - secretKey: FORGEJO_ACCESS_TOKEN + remoteRef: + key: forgejo-access-token + property: token From 9dd9184cfd7329f8234a95406116e98840084ed2 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Thu, 17 Apr 2025 14:31:56 +0200 Subject: [PATCH 100/153] uses the new secrets for 'git clone'-command --- template/stacks/core/argocd-sso/argocd-sso-config.yaml | 2 +- template/stacks/core/forgejo-sso/forgejo-sso-config.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/template/stacks/core/argocd-sso/argocd-sso-config.yaml b/template/stacks/core/argocd-sso/argocd-sso-config.yaml index 2770527..f9b7b1c 100644 --- a/template/stacks/core/argocd-sso/argocd-sso-config.yaml +++ b/template/stacks/core/argocd-sso/argocd-sso-config.yaml @@ -61,7 +61,7 @@ spec: git config --global user.email "bot@bots.de" git config --global user.name "bot" - git clone https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea-${DOMAIN}/giteaAdmin/edfbuilder.git + git clone https://${FORGEJO_USER}:${GIT_PASSWORD}@gitea-${DOMAIN}/giteaAdmin/edfbuilder.git cd edfbuilder yq eval '.configs.cm."oidc.config" = "name: Keycloak\nissuer: https://192-168-197-2.c-one-infra.de/keycloak/realms/cnoe\nclientID: argocd\nclientSecret: $auth-generic-oauth-secret:client_secret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"' -i stacks/core/argocd/values.yaml diff --git a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml index cc7e82a..a9a9a3a 100644 --- a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml +++ b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml @@ -21,7 +21,7 @@ spec: valueFrom: secretKeyRef: name: auth-generic-oauth-secret - key: client_secret + key: secret - name: FORGEJO_USER valueFrom: secretKeyRef: @@ -66,7 +66,7 @@ spec: git config --global user.email "bot@bots.de" git config --global user.name "giteaAdmin" - git clone https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea-${DOMAIN}/giteaAdmin/edfbuilder.git + git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@gitea-${DOMAIN}/giteaAdmin/edfbuilder.git cd edfbuilder yq eval ".gitea.oauth = [ { From ba2b7dbc9f4670a037fd2709edf85a9b1cafed5c Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Thu, 17 Apr 2025 14:46:29 +0200 Subject: [PATCH 101/153] adds missing secret for 'git clone'-command --- template/stacks/core/argocd-sso/argocd-sso-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/core/argocd-sso/argocd-sso-config.yaml b/template/stacks/core/argocd-sso/argocd-sso-config.yaml index f9b7b1c..35647ea 100644 --- a/template/stacks/core/argocd-sso/argocd-sso-config.yaml +++ b/template/stacks/core/argocd-sso/argocd-sso-config.yaml @@ -61,7 +61,7 @@ spec: git config --global user.email "bot@bots.de" git config --global user.name "bot" - git clone https://${FORGEJO_USER}:${GIT_PASSWORD}@gitea-${DOMAIN}/giteaAdmin/edfbuilder.git + git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@gitea-${DOMAIN}/giteaAdmin/edfbuilder.git cd edfbuilder yq eval '.configs.cm."oidc.config" = "name: Keycloak\nissuer: https://192-168-197-2.c-one-infra.de/keycloak/realms/cnoe\nclientID: argocd\nclientSecret: $auth-generic-oauth-secret:client_secret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"' -i stacks/core/argocd/values.yaml From 4e50289d91ea908819ce44b75f26d0903df2b006 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Thu, 17 Apr 2025 15:50:35 +0200 Subject: [PATCH 102/153] testing the hydration of domains --- template/stacks/core/argocd-sso/argocd-sso-config.yaml | 4 ++-- template/stacks/core/forgejo-sso/forgejo-sso-config.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/template/stacks/core/argocd-sso/argocd-sso-config.yaml b/template/stacks/core/argocd-sso/argocd-sso-config.yaml index 35647ea..4c83757 100644 --- a/template/stacks/core/argocd-sso/argocd-sso-config.yaml +++ b/template/stacks/core/argocd-sso/argocd-sso-config.yaml @@ -61,9 +61,9 @@ spec: git config --global user.email "bot@bots.de" git config --global user.name "bot" - git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@gitea-${DOMAIN}/giteaAdmin/edfbuilder.git + git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git cd edfbuilder - yq eval '.configs.cm."oidc.config" = "name: Keycloak\nissuer: https://192-168-197-2.c-one-infra.de/keycloak/realms/cnoe\nclientID: argocd\nclientSecret: $auth-generic-oauth-secret:client_secret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"' -i stacks/core/argocd/values.yaml + yq eval '.configs.cm."oidc.config" = "name: Keycloak\nissuer: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe\nclientID: argocd\nclientSecret: $auth-generic-oauth-secret:client_secret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"' -i stacks/core/argocd/values.yaml git add stacks/core/argocd/values.yaml git commit -m "adds Forgejo SSO config" diff --git a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml index a9a9a3a..3ed97b2 100644 --- a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml +++ b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml @@ -66,14 +66,14 @@ spec: git config --global user.email "bot@bots.de" git config --global user.name "giteaAdmin" - git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@gitea-${DOMAIN}/giteaAdmin/edfbuilder.git + git clone https://${FORGEJO_USER}:${FORGEJO_TOKEN}@{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder.git cd edfbuilder yq eval ".gitea.oauth = [ { \"name\": \"Keycloak\", \"provider\": \"openidConnect\", \"existingSecret\": \"auth-generic-oauth-secret\", - \"autoDiscoverUrl\": \"https://192-168-197-2.c-one-infra.de/keycloak/realms/cnoe/.well-known/openid-configuration\" + \"autoDiscoverUrl\": \"https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration\" } ] | (.gitea.oauth[] | .name) |= (. style=\"single\") From f783a582c6e325d66d768ef09a3aec04bb63c83e Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Thu, 17 Apr 2025 16:45:59 +0200 Subject: [PATCH 103/153] does cleanup --- .../stacks/core/argocd-sso/argocd-sso-config.yaml | 11 +---------- .../core/forgejo-sso/forgejo-sso-config.yaml | 14 -------------- 2 files changed, 1 insertion(+), 24 deletions(-) diff --git a/template/stacks/core/argocd-sso/argocd-sso-config.yaml b/template/stacks/core/argocd-sso/argocd-sso-config.yaml index 4c83757..8513828 100644 --- a/template/stacks/core/argocd-sso/argocd-sso-config.yaml +++ b/template/stacks/core/argocd-sso/argocd-sso-config.yaml @@ -11,7 +11,7 @@ spec: metadata: generateName: argocd-config- spec: - # serviceAccountName: argocd-config + # serviceAccountName: bot restartPolicy: OnFailure containers: - name: push @@ -32,11 +32,6 @@ spec: secretKeyRef: name: forgejo-access-token key: forgejo_token - # envFrom: - # - secretRef: - # name: auth-generic-oauth-secret # thats the external secret the job should wait for - # - secretRef: - # name: k8s-job-token # edpbuilder should create this automatically and feed it to this job command: ["/bin/bash", "-c"] args: - | @@ -54,10 +49,6 @@ spec: rm yq_linux_arm64 fi - DOMAIN=192-168-197-2.c-one-infra.de - GIT_USERNAME=giteaAdmin - GIT_PASSWORD=2d3a114ddfb6059929cc6d97451201e361a524f3 - git config --global user.email "bot@bots.de" git config --global user.name "bot" diff --git a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml index 3ed97b2..d85de44 100644 --- a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml +++ b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml @@ -32,21 +32,11 @@ spec: secretKeyRef: name: forgejo-access-token key: forgejo_token - # envFrom: - # - secretRef: - # name: auth-generic-oauth-secret # thats the external secret the job should wait for - # - secretRef: - # name: k8s-job-token # edpbuilder should create this automatically and feed it to this job command: ["/bin/bash", "-c"] args: - | #! /bin/bash - # if [[ "$client_secret" == "" ]]; - # then - # exit 1 - # fi - apt -qq update apt -qq install git wget -y if [[ "$(uname -m)" == "x86_64" ]]; then @@ -59,10 +49,6 @@ spec: rm yq_linux_arm64 fi - DOMAIN=192-168-197-2.c-one-infra.de - GIT_USERNAME=giteaAdmin - GIT_PASSWORD=2d3a114ddfb6059929cc6d97451201e361a524f3 - git config --global user.email "bot@bots.de" git config --global user.name "giteaAdmin" From 6ac5a9450359850cefbe82d4bbf48fbcfb54bfa6 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Tue, 22 Apr 2025 09:55:18 +0200 Subject: [PATCH 104/153] updates Forgejo sync policy --- template/stacks/core/forgejo.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/template/stacks/core/forgejo.yaml b/template/stacks/core/forgejo.yaml index a89d576..6e2f06f 100644 --- a/template/stacks/core/forgejo.yaml +++ b/template/stacks/core/forgejo.yaml @@ -12,6 +12,7 @@ spec: selfHeal: true syncOptions: - CreateNamespace=true + - Replace=true destination: name: in-cluster namespace: gitea From a9ae743de992ebb61cd8e0114f9376564b6e6013 Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 22 Apr 2025 14:13:15 +0200 Subject: [PATCH 105/153] subpath --- template/stacks/ref-implementation/openbao/values.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 16154c8..34f275b 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -43,7 +43,6 @@ server: - name: sidecar-script mountPath: /etc/nginx subPath: nginx.conf - subPathExpr: 'nginx.conf' - name: sidecar-script mountPath: /tmp/sidecar.sh subPath: sidecar.sh From 350e3a804cfce89b05291033443ab41163dcd75c Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 22 Apr 2025 14:25:44 +0200 Subject: [PATCH 106/153] nginx.conf --- template/stacks/ref-implementation/openbao/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 34f275b..3479417 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -41,7 +41,7 @@ server: - containerPort: 8080 volumeMounts: - name: sidecar-script - mountPath: /etc/nginx + mountPath: /etc/nginx/nginx.conf subPath: nginx.conf - name: sidecar-script mountPath: /tmp/sidecar.sh From 9bb0063f8bd7608a811eeedef3a1d0d9748c55bc Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Tue, 22 Apr 2025 12:29:50 +0000 Subject: [PATCH 107/153] Use Redis in the Forgejo configuration to support rolling updates of Forgejo itself Forgejo is not able to be reconfigured by default: a queue is locked To circumvent the problem, we need simply to enable the use of Redis as a Forgejo component --- template/stacks/core/forgejo/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index 90b01a6..b98bbf3 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -1,5 +1,5 @@ redis-cluster: - enabled: false + enabled: true postgresql: enabled: false postgresql-ha: From 87ce37972d55a89e6a8a78cacdc58c3ded60251e Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 22 Apr 2025 14:42:37 +0200 Subject: [PATCH 108/153] new service --- .../sidecar-script-configmap.yaml | 24 +++++++------------ .../ref-implementation/openbao/values.yaml | 14 +++++++---- 2 files changed, 18 insertions(+), 20 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml index 811add3..639b8d8 100644 --- a/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml @@ -5,21 +5,15 @@ metadata: namespace: openbao data: sidecar.sh: | - #!/bin/bash + #!/bin/sh echo "Sending SIGHUP to OpenBAO..." kill -SIGHUP $(pidof bao) || echo "OpenBAO process not found" - nginx.conf: | - events {} - - http { - server { - listen 8080; - - location / { - exec /tmp/sidecar.sh; - default_type text/plain; - return 200 "SIGHUP sent to OpenBAO\n"; - } - } - } \ No newline at end of file + start.sh: | + #!/bin/sh + echo "Starting mini HTTP server on port 8080..." + while true; do + # Wait for HTTP POST and respond + { echo -ne "HTTP/1.1 200 OK\r\nContent-Length: 26\r\n\r\nSIGHUP sent to OpenBAO"; \ + /tmp/sidecar.sh; } | nc -l -p 8080 -q 1 + done \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 3479417..e6d8a38 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -35,14 +35,18 @@ server: subPath: passwd - name: sidecar-script mountPath: /tmp - - name: sidecar-nginx - image: nginx:latest + - name: sidecar + image: alpine:latest + command: ["/bin/sh", "/tmp/start.sh"] ports: - - containerPort: 8080 + - containerPort: 8080 volumeMounts: - name: sidecar-script - mountPath: /etc/nginx/nginx.conf - subPath: nginx.conf + mountPath: /tmp/sidecar.sh + subPath: sidecar.sh + - name: sidecar-script + mountPath: /tmp/start.sh + subPath: start.sh - name: sidecar-script mountPath: /tmp/sidecar.sh subPath: sidecar.sh From d17861bc87b2470c1143495b2ab4b9dec7653987 Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 22 Apr 2025 14:46:41 +0200 Subject: [PATCH 109/153] another try --- .../ref-implementation/openbao/values.yaml | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index e6d8a38..4157ffa 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -22,19 +22,19 @@ server: - name: passwd-volume mountPath: /etc/passwd subPath: passwd - - name: logrotate2 - image: alpine:latest - command: ["/bin/sh", "-c", "/tmp/sidecar.sh"] - securityContext: - runAsUser: 100 - ports: - - containerPort: 8081 - volumeMounts: - - name: passwd-volume - mountPath: /etc/passwd - subPath: passwd - - name: sidecar-script - mountPath: /tmp + # - name: logrotate2 + # image: alpine:latest + # command: ["/bin/sh", "-c", "/tmp/sidecar.sh"] + # securityContext: + # runAsUser: 100 + # ports: + # - containerPort: 8081 + # volumeMounts: + # - name: passwd-volume + # mountPath: /etc/passwd + # subPath: passwd + # - name: sidecar-script + # mountPath: /tmp - name: sidecar image: alpine:latest command: ["/bin/sh", "/tmp/start.sh"] From 1268e3ea2479ebb296b7447e70315b752246878e Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 22 Apr 2025 14:50:50 +0200 Subject: [PATCH 110/153] unique --- template/stacks/ref-implementation/openbao/values.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 4157ffa..cc6fd3d 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -41,9 +41,6 @@ server: ports: - containerPort: 8080 volumeMounts: - - name: sidecar-script - mountPath: /tmp/sidecar.sh - subPath: sidecar.sh - name: sidecar-script mountPath: /tmp/start.sh subPath: start.sh From 4447c299879b0ee8db14777f24d2610be63361ea Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Tue, 22 Apr 2025 14:59:44 +0200 Subject: [PATCH 111/153] cancel last ommit --- template/stacks/core/forgejo.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/template/stacks/core/forgejo.yaml b/template/stacks/core/forgejo.yaml index 6e2f06f..a89d576 100644 --- a/template/stacks/core/forgejo.yaml +++ b/template/stacks/core/forgejo.yaml @@ -12,7 +12,6 @@ spec: selfHeal: true syncOptions: - CreateNamespace=true - - Replace=true destination: name: in-cluster namespace: gitea From c8eac10fcfc278f333389e154a7560e60d9418db Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Tue, 22 Apr 2025 15:11:16 +0200 Subject: [PATCH 112/153] muss so --- template/stacks/core/forgejo/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index 90b01a6..b98bbf3 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -1,5 +1,5 @@ redis-cluster: - enabled: false + enabled: true postgresql: enabled: false postgresql-ha: From 40d1d025a6c520081040659cbb5fed8318416969 Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 22 Apr 2025 15:13:56 +0200 Subject: [PATCH 113/153] new script --- .../sidecar-script-configmap.yaml | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml index 639b8d8..0103127 100644 --- a/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml @@ -11,9 +11,20 @@ data: start.sh: | #!/bin/sh + echo "Starting mini HTTP server on port 8080..." + while true; do - # Wait for HTTP POST and respond - { echo -ne "HTTP/1.1 200 OK\r\nContent-Length: 26\r\n\r\nSIGHUP sent to OpenBAO"; \ - /tmp/sidecar.sh; } | nc -l -p 8080 -q 1 + echo "Waiting for HTTP POST..." + REQUEST=$(nc -l -p 8080) + + echo "$REQUEST" | grep -q "POST /" && { + echo "Received POST request, sending SIGHUP..." + /tmp/sidecar.sh + RESPONSE="HTTP/1.1 200 OK\r\nContent-Length: 26\r\n\r\nSIGHUP sent to OpenBAO" + } || { + RESPONSE="HTTP/1.1 405 Method Not Allowed\r\nContent-Length: 18\r\n\r\nMethod Not Allowed" + } + + echo -e "$RESPONSE" | nc -N localhost 8081 done \ No newline at end of file From 6afdc2c64f6262551417307c76b6d02b7a8b3b15 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Tue, 22 Apr 2025 15:17:34 +0200 Subject: [PATCH 114/153] removes some comments --- template/stacks/core/argocd-sso/argocd-sso-config.yaml | 3 --- template/stacks/core/forgejo-sso/forgejo-sso-config.yaml | 3 --- 2 files changed, 6 deletions(-) diff --git a/template/stacks/core/argocd-sso/argocd-sso-config.yaml b/template/stacks/core/argocd-sso/argocd-sso-config.yaml index 8513828..6beca14 100644 --- a/template/stacks/core/argocd-sso/argocd-sso-config.yaml +++ b/template/stacks/core/argocd-sso/argocd-sso-config.yaml @@ -4,14 +4,11 @@ kind: Job metadata: name: argocd-config namespace: argocd -# annotations: -# argocd.argoproj.io/hook: PostSync spec: template: metadata: generateName: argocd-config- spec: - # serviceAccountName: bot restartPolicy: OnFailure containers: - name: push diff --git a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml index d85de44..bbb4178 100644 --- a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml +++ b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml @@ -4,14 +4,11 @@ kind: Job metadata: name: forgejo-config namespace: gitea -# annotations: -# argocd.argoproj.io/hook: PostSync spec: template: metadata: generateName: forgejo-config- spec: - # serviceAccountName: bot restartPolicy: OnFailure containers: - name: push From 3f6ec41ece250a1fcef0eb3c80f8d16f88465f83 Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 22 Apr 2025 15:52:16 +0200 Subject: [PATCH 115/153] service corrected --- .../openbao-logging/sidecar-script-service.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml b/template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml index cb44183..fcc0291 100644 --- a/template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml +++ b/template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml @@ -5,7 +5,7 @@ metadata: namespace: openbao spec: selector: - app: openbao-0 + app: openbao ports: - protocol: TCP port: 8080 From 4eb6fa0908488f9e1c2a01cbc4556cdb30d05606 Mon Sep 17 00:00:00 2001 From: Bot Date: Tue, 22 Apr 2025 18:56:30 +0200 Subject: [PATCH 116/153] Removed unused ArgoCD Application manifests of Crossplane --- .../stacks/core/crossplane-compositions.yaml | 23 -------------- .../edfbuilder/definition.yaml | 30 ------------------- .../stacks/core/crossplane-providers.yaml | 23 -------------- .../function-patch-and-transform.yaml | 9 ------ .../provider-argocd-config.yaml | 14 --------- .../provider-kind-config.yaml | 14 --------- template/stacks/core/crossplane.yaml | 23 -------------- 7 files changed, 136 deletions(-) delete mode 100644 template/stacks/core/crossplane-compositions.yaml delete mode 100644 template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml delete mode 100644 template/stacks/core/crossplane-providers.yaml delete mode 100644 template/stacks/core/crossplane-providers/function-patch-and-transform.yaml delete mode 100644 template/stacks/core/crossplane-providers/provider-argocd-config.yaml delete mode 100644 template/stacks/core/crossplane-providers/provider-kind-config.yaml delete mode 100644 template/stacks/core/crossplane.yaml diff --git a/template/stacks/core/crossplane-compositions.yaml b/template/stacks/core/crossplane-compositions.yaml deleted file mode 100644 index d5341c8..0000000 --- a/template/stacks/core/crossplane-compositions.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: crossplane-compositions - namespace: argocd - labels: - env: dev -spec: - project: default - syncPolicy: - automated: - selfHeal: true - syncOptions: - - CreateNamespace=true - destination: - name: in-cluster - namespace: crossplane-system - source: - path: stacks/core/crossplane-compositions - repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder - targetRevision: HEAD - directory: - recurse: true diff --git a/template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml b/template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml deleted file mode 100644 index d8e3e9d..0000000 --- a/template/stacks/core/crossplane-compositions/edfbuilder/definition.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: apiextensions.crossplane.io/v1 -kind: CompositeResourceDefinition -metadata: - name: edfbuilders.edfbuilder.crossplane.io -spec: - connectionSecretKeys: - - kubeconfig - group: edfbuilder.crossplane.io - names: - kind: EDFBuilder - listKind: EDFBuilderList - plural: edfbuilders - singular: edfbuilders - versions: - - name: v1alpha1 - served: true - referenceable: true - schema: - openAPIV3Schema: - description: A EDFBuilder is a composite resource that represents a K8S Cluster with edfbuilder Installed - type: object - properties: - spec: - type: object - properties: - repoURL: - type: string - description: URL to ArgoCD stack of stacks repo - required: - - repoURL diff --git a/template/stacks/core/crossplane-providers.yaml b/template/stacks/core/crossplane-providers.yaml deleted file mode 100644 index 3fd69b7..0000000 --- a/template/stacks/core/crossplane-providers.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{{ if eq .Env.CLUSTER_TYPE "kind" }}} -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: crossplane-providers - namespace: argocd - labels: - env: dev -spec: - project: default - syncPolicy: - automated: - selfHeal: true - syncOptions: - - CreateNamespace=true - destination: - name: in-cluster - namespace: crossplane-system - source: - path: stacks/core/crossplane-providers - repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder - targetRevision: HEAD -{{{ end }}} diff --git a/template/stacks/core/crossplane-providers/function-patch-and-transform.yaml b/template/stacks/core/crossplane-providers/function-patch-and-transform.yaml deleted file mode 100644 index 9a16bba..0000000 --- a/template/stacks/core/crossplane-providers/function-patch-and-transform.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: pkg.crossplane.io/v1 -kind: Function -metadata: - name: crossplane-contrib-function-patch-and-transform -spec: - package: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.7.0 - packagePullPolicy: IfNotPresent # Only download the package if it isn’t in the cache. - revisionActivationPolicy: Automatic # Otherwise our Provider never gets activate & healthy - revisionHistoryLimit: 1 \ No newline at end of file diff --git a/template/stacks/core/crossplane-providers/provider-argocd-config.yaml b/template/stacks/core/crossplane-providers/provider-argocd-config.yaml deleted file mode 100644 index dba4aad..0000000 --- a/template/stacks/core/crossplane-providers/provider-argocd-config.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: argocd.crossplane.io/v1alpha1 -kind: ProviderConfig -metadata: - name: argocd-provider -spec: - serverAddr: argocd-server.argocd.svc.cluster.local:80 - insecure: true - plainText: true - credentials: - source: Secret - secretRef: - namespace: crossplane-system - name: argocd-credentials - key: authToken diff --git a/template/stacks/core/crossplane-providers/provider-kind-config.yaml b/template/stacks/core/crossplane-providers/provider-kind-config.yaml deleted file mode 100644 index edc8dcb..0000000 --- a/template/stacks/core/crossplane-providers/provider-kind-config.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: kind.crossplane.io/v1alpha1 -kind: ProviderConfig -metadata: - name: kind-provider -spec: - credentials: - source: Secret - secretRef: - namespace: crossplane-system - name: kind-credentials - key: credentials - endpoint: - # the url is managed by crossplane-edfbuilder - url: https://DOCKER_HOST:SERVER_PORT/api/v1/kindserver diff --git a/template/stacks/core/crossplane.yaml b/template/stacks/core/crossplane.yaml deleted file mode 100644 index 4b6f2af..0000000 --- a/template/stacks/core/crossplane.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: crossplane - namespace: argocd - labels: - env: dev -spec: - project: default - syncPolicy: - automated: - selfHeal: true - syncOptions: - - CreateNamespace=true - destination: - name: in-cluster - namespace: crossplane-system - source: - chart: crossplane - repoURL: https://charts.crossplane.io/stable - targetRevision: 1.18.0 - helm: - releaseName: crossplane From d45c89c0b82eec6cfa7ae14c04a6c34acba8e441 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 23 Apr 2025 10:32:16 +0200 Subject: [PATCH 117/153] 3030 --- .../openbao-logging/sidecar-script-configmap.yaml | 6 +++--- .../openbao-logging/sidecar-script-service.yaml | 7 ++++--- template/stacks/ref-implementation/openbao/values.yaml | 2 +- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml index 0103127..c215cd4 100644 --- a/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/sidecar-script-configmap.yaml @@ -12,11 +12,11 @@ data: start.sh: | #!/bin/sh - echo "Starting mini HTTP server on port 8080..." + echo "Starting mini HTTP server on port 3030..." while true; do echo "Waiting for HTTP POST..." - REQUEST=$(nc -l -p 8080) + REQUEST=$(nc -l -p 3030) echo "$REQUEST" | grep -q "POST /" && { echo "Received POST request, sending SIGHUP..." @@ -26,5 +26,5 @@ data: RESPONSE="HTTP/1.1 405 Method Not Allowed\r\nContent-Length: 18\r\n\r\nMethod Not Allowed" } - echo -e "$RESPONSE" | nc -N localhost 8081 + echo -e "$RESPONSE" | nc -N localhost 3031 done \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml b/template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml index fcc0291..817ed6c 100644 --- a/template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml +++ b/template/stacks/ref-implementation/openbao-logging/sidecar-script-service.yaml @@ -5,8 +5,9 @@ metadata: namespace: openbao spec: selector: - app: openbao + app.kubernetes.io/instance: openbao + component: server ports: - protocol: TCP - port: 8080 - targetPort: 8080 + port: 3030 + targetPort: 3030 diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index cc6fd3d..f370ab5 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -39,7 +39,7 @@ server: image: alpine:latest command: ["/bin/sh", "/tmp/start.sh"] ports: - - containerPort: 8080 + - containerPort: 3030 volumeMounts: - name: sidecar-script mountPath: /tmp/start.sh From e1da09b2cc7c1f124feaa83d38f313e602b9d016 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 23 Apr 2025 10:51:42 +0200 Subject: [PATCH 118/153] push --- .../openbao-alloy-configmap.yaml | 58 +++++++++---------- .../openbao-logging/logrotate-configmap.yaml | 2 +- 2 files changed, 30 insertions(+), 30 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-alloy-configmap.yaml b/template/stacks/ref-implementation/openbao-alloy-configmap.yaml index d6f9bc6..5020633 100644 --- a/template/stacks/ref-implementation/openbao-alloy-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-alloy-configmap.yaml @@ -1,29 +1,29 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: openbao-logging-setup - namespace: argocd - labels: - env: dev - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - project: default - source: - repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder - targetRevision: HEAD - path: "stacks/ref-implementation/openbao-logging" - destination: - server: "https://kubernetes.default.svc" - namespace: openbao - syncPolicy: - syncOptions: - - CreateNamespace=true - automated: - selfHeal: true - retry: - limit: -1 - backoff: - duration: 15s - factor: 1 - maxDuration: 15s +# apiVersion: argoproj.io/v1alpha1 +# kind: Application +# metadata: +# name: openbao-logging-setup +# namespace: argocd +# labels: +# env: dev +# finalizers: +# - resources-finalizer.argocd.argoproj.io +# spec: +# project: default +# source: +# repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder +# targetRevision: HEAD +# path: "stacks/ref-implementation/openbao-logging" +# destination: +# server: "https://kubernetes.default.svc" +# namespace: openbao +# syncPolicy: +# syncOptions: +# - CreateNamespace=true +# automated: +# selfHeal: true +# retry: +# limit: -1 +# backoff: +# duration: 15s +# factor: 1 +# maxDuration: 15s diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml index 47c98ae..bd5c85f 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml @@ -11,6 +11,6 @@ data: missingok notifempty postrotate - echo -e "POST / HTTP/1.1\r\nHost: sidecar-script-service.openbao.svc.cluster.local:8080\r\nContent-Length: 0\r\n\r\n" | nc sidecar-script-service.openbao.svc.cluster.local 8080 + echo -e "POST / HTTP/1.1\r\nHost: sidecar-script-service.openbao.svc.cluster.local:3030\r\nContent-Length: 0\r\n\r\n" | nc sidecar-script-service.openbao.svc.cluster.local 3030 endscript } \ No newline at end of file From ee08dc2f3394d33fde204f53c7690df2e5a4a76c Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Wed, 23 Apr 2025 10:56:34 +0200 Subject: [PATCH 119/153] testing redis changes --- template/stacks/core/forgejo/values.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index b98bbf3..15a4bd5 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -1,5 +1,7 @@ redis-cluster: - enabled: true + enabled: false +redis: + enabled: true postgresql: enabled: false postgresql-ha: From 15d9160b16aa1a93d8b9aa824cfa2efb5398e9b4 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Wed, 23 Apr 2025 11:02:59 +0200 Subject: [PATCH 120/153] testing redis changes --- template/stacks/core/forgejo/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index 15a4bd5..f35f1c7 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -1,7 +1,7 @@ redis-cluster: enabled: false redis: - enabled: true + enabled: false postgresql: enabled: false postgresql-ha: From fbee7995e14eb9bc9ada247929b4f8dd82180f42 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Wed, 23 Apr 2025 11:14:27 +0200 Subject: [PATCH 121/153] testing redis changes --- template/stacks/core/forgejo/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index f35f1c7..15a4bd5 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -1,7 +1,7 @@ redis-cluster: enabled: false redis: - enabled: false + enabled: true postgresql: enabled: false postgresql-ha: From 7e599a94223fd8533cf13b2fbf5176e5705224b4 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Wed, 23 Apr 2025 11:21:51 +0200 Subject: [PATCH 122/153] testing redis changes --- template/stacks/core/forgejo/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index 15a4bd5..fa040ea 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -1,7 +1,7 @@ redis-cluster: - enabled: false + enabled: true redis: - enabled: true + enabled: false postgresql: enabled: false postgresql-ha: From 700c242cddb3f3a299115a9f84ce553dd044ac53 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 23 Apr 2025 11:24:03 +0200 Subject: [PATCH 123/153] final touches --- .../openbao-alloy-configmap.yaml | 29 ------------------- ...ogging-setup.yaml => openbao-logging.yaml} | 0 .../openbao-logging/logrotate-configmap.yaml | 2 +- .../openbao-logging/logrotate-cronjob.yaml | 9 +++--- 4 files changed, 6 insertions(+), 34 deletions(-) delete mode 100644 template/stacks/ref-implementation/openbao-alloy-configmap.yaml rename template/stacks/ref-implementation/{open-bao-logging-setup.yaml => openbao-logging.yaml} (100%) diff --git a/template/stacks/ref-implementation/openbao-alloy-configmap.yaml b/template/stacks/ref-implementation/openbao-alloy-configmap.yaml deleted file mode 100644 index 5020633..0000000 --- a/template/stacks/ref-implementation/openbao-alloy-configmap.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# apiVersion: argoproj.io/v1alpha1 -# kind: Application -# metadata: -# name: openbao-logging-setup -# namespace: argocd -# labels: -# env: dev -# finalizers: -# - resources-finalizer.argocd.argoproj.io -# spec: -# project: default -# source: -# repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder -# targetRevision: HEAD -# path: "stacks/ref-implementation/openbao-logging" -# destination: -# server: "https://kubernetes.default.svc" -# namespace: openbao -# syncPolicy: -# syncOptions: -# - CreateNamespace=true -# automated: -# selfHeal: true -# retry: -# limit: -1 -# backoff: -# duration: 15s -# factor: 1 -# maxDuration: 15s diff --git a/template/stacks/ref-implementation/open-bao-logging-setup.yaml b/template/stacks/ref-implementation/openbao-logging.yaml similarity index 100% rename from template/stacks/ref-implementation/open-bao-logging-setup.yaml rename to template/stacks/ref-implementation/openbao-logging.yaml diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml index bd5c85f..e31d9df 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml @@ -5,7 +5,7 @@ metadata: data: logrotate.conf: | /openbao/logs/openbao/*.log { - size 5k + size 10M rotate 7 compress missingok diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml index 9b51ba1..48a4ac8 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml @@ -2,8 +2,9 @@ apiVersion: batch/v1 kind: CronJob metadata: name: logrotate-cronjob - spec: - schedule: "*/2 * * * *" + namespace: openbao +spec: + schedule: "*/10 * * * *" jobTemplate: spec: template: @@ -12,8 +13,8 @@ metadata: - name: logrotate image: skymatic/logrotate:latest securityContext: - runAsUser: 100 - command: ["/bin/sh", "-c", "logrotate /etc/logrotate.conf && sleep infinity"] + runAsUser: 100 + command: ["/bin/sh", "-c", && sleep infinity"] volumeMounts: - name: host-log-storage mountPath: /openbao/logs From 84d4f0af07f3e97b46850c0fe0fccd1517d08851 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 23 Apr 2025 11:26:02 +0200 Subject: [PATCH 124/153] don't sleep --- .../ref-implementation/openbao-logging/logrotate-cronjob.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml index 48a4ac8..8f79452 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml @@ -14,7 +14,7 @@ spec: image: skymatic/logrotate:latest securityContext: runAsUser: 100 - command: ["/bin/sh", "-c", && sleep infinity"] + command: ["/bin/sh", "-c"] volumeMounts: - name: host-log-storage mountPath: /openbao/logs From 4d20aeeaac01a8e937f9ea0f1e3e4bffb943ecdb Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 23 Apr 2025 11:34:01 +0200 Subject: [PATCH 125/153] 5 minutes --- .../ref-implementation/openbao-logging/logrotate-cronjob.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml index 8f79452..65b9d9f 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml @@ -4,7 +4,7 @@ metadata: name: logrotate-cronjob namespace: openbao spec: - schedule: "*/10 * * * *" + schedule: "*/5 * * * *" jobTemplate: spec: template: @@ -14,7 +14,7 @@ spec: image: skymatic/logrotate:latest securityContext: runAsUser: 100 - command: ["/bin/sh", "-c"] + # command: ["/bin/sh", "-c", && sleep infinity"] volumeMounts: - name: host-log-storage mountPath: /openbao/logs From 135844644dfa4c2971da27261d32e51c3f761be5 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 23 Apr 2025 11:45:10 +0200 Subject: [PATCH 126/153] command: ["/bin/sh", "-c", "sleep 10"] --- .../ref-implementation/openbao-logging/logrotate-cronjob.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml index 65b9d9f..b03ab1e 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml @@ -14,7 +14,7 @@ spec: image: skymatic/logrotate:latest securityContext: runAsUser: 100 - # command: ["/bin/sh", "-c", && sleep infinity"] + command: ["/bin/sh", "-c", "sleep 10"] volumeMounts: - name: host-log-storage mountPath: /openbao/logs From 7dfefa8ac9f0ce5f697b9c6766b15cbd775f2bd5 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 23 Apr 2025 11:45:26 +0200 Subject: [PATCH 127/153] 2M --- .../ref-implementation/openbao-logging/logrotate-configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml index e31d9df..34e2826 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml @@ -5,7 +5,7 @@ metadata: data: logrotate.conf: | /openbao/logs/openbao/*.log { - size 10M + size 2M rotate 7 compress missingok From 1abbd9b64616f10b06b283dc068ea2dc42ce32ae Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 23 Apr 2025 11:56:08 +0200 Subject: [PATCH 128/153] && sleep 10 --- .../ref-implementation/openbao-logging/logrotate-cronjob.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml index b03ab1e..324489a 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml @@ -14,7 +14,7 @@ spec: image: skymatic/logrotate:latest securityContext: runAsUser: 100 - command: ["/bin/sh", "-c", "sleep 10"] + command: ["/bin/sh", "-c", && sleep 10"] volumeMounts: - name: host-log-storage mountPath: /openbao/logs From 20a6113403fd54be670b92dd5351b62f50fa1513 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 23 Apr 2025 12:01:20 +0200 Subject: [PATCH 129/153] new changes --- .../ref-implementation/openbao-logging/logrotate-cronjob.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml index 324489a..755d6b9 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml @@ -4,7 +4,7 @@ metadata: name: logrotate-cronjob namespace: openbao spec: - schedule: "*/5 * * * *" + schedule: "*/2 * * * *" jobTemplate: spec: template: @@ -14,7 +14,7 @@ spec: image: skymatic/logrotate:latest securityContext: runAsUser: 100 - command: ["/bin/sh", "-c", && sleep 10"] + command: ["/bin/sh", "-c", "logrotate /etc/logrotate.conf && sleep 10"] volumeMounts: - name: host-log-storage mountPath: /openbao/logs From d1355e47c88fbcf04338097f94b2cd9bb220380f Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 23 Apr 2025 12:56:56 +0200 Subject: [PATCH 130/153] don't compress --- .../ref-implementation/openbao-logging/logrotate-configmap.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml index 34e2826..7cd2a3d 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml @@ -7,7 +7,6 @@ data: /openbao/logs/openbao/*.log { size 2M rotate 7 - compress missingok notifempty postrotate From 58fd63da5490d2132258811659b627baa7ded199 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 23 Apr 2025 13:11:58 +0200 Subject: [PATCH 131/153] 0 * * * * --- .../ref-implementation/openbao-logging/logrotate-configmap.yaml | 2 +- .../ref-implementation/openbao-logging/logrotate-cronjob.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml index 7cd2a3d..b8f9d1a 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml @@ -5,7 +5,7 @@ metadata: data: logrotate.conf: | /openbao/logs/openbao/*.log { - size 2M + size 50M rotate 7 missingok notifempty diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml index 755d6b9..c8b80c4 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml @@ -4,7 +4,7 @@ metadata: name: logrotate-cronjob namespace: openbao spec: - schedule: "*/2 * * * *" + schedule: "0 * * * *" jobTemplate: spec: template: From abeeb7ee23e50605ebcd9a2af79e871b32560534 Mon Sep 17 00:00:00 2001 From: Bot Date: Wed, 23 Apr 2025 13:20:24 +0200 Subject: [PATCH 132/153] chore(backstage): pin to backstage-edp v1.1.0 --- .../stacks/ref-implementation/backstage/manifests/install.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/backstage/manifests/install.yaml b/template/stacks/ref-implementation/backstage/manifests/install.yaml index c86f6fa..88f0d0e 100644 --- a/template/stacks/ref-implementation/backstage/manifests/install.yaml +++ b/template/stacks/ref-implementation/backstage/manifests/install.yaml @@ -264,7 +264,8 @@ spec: name: gitea-credentials - secretRef: name: argocd-credentials - image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:development + image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/backstage-edp:1.1.0 + imagePullPolicy: Always name: backstage ports: - containerPort: 7007 From 01a9c0e0e696d0b8244b7bcf119414edd68cf9ba Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 23 Apr 2025 13:28:18 +0200 Subject: [PATCH 133/153] deleted unneccessary container --- .../stacks/ref-implementation/openbao/values.yaml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index f370ab5..798e909 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -22,19 +22,6 @@ server: - name: passwd-volume mountPath: /etc/passwd subPath: passwd - # - name: logrotate2 - # image: alpine:latest - # command: ["/bin/sh", "-c", "/tmp/sidecar.sh"] - # securityContext: - # runAsUser: 100 - # ports: - # - containerPort: 8081 - # volumeMounts: - # - name: passwd-volume - # mountPath: /etc/passwd - # subPath: passwd - # - name: sidecar-script - # mountPath: /tmp - name: sidecar image: alpine:latest command: ["/bin/sh", "/tmp/start.sh"] From 9c8cdbf7a46f0c931bf5cc555b1208d478d1bec0 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 23 Apr 2025 13:54:07 +0200 Subject: [PATCH 134/153] no logrotate sidecar container --- .../ref-implementation/openbao/values.yaml | 21 ------------------- 1 file changed, 21 deletions(-) diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 798e909..18e79f6 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -1,27 +1,6 @@ server: shareProcessNamespace: true extraContainers: - - name: logrotate - image: skymatic/logrotate:latest # MIT License - securityContext: - runAsUser: 100 - env: - - name: CRON_SCHEDULE - value: "* * * * *" - - name: TINI_SUBREAPER - value: - volumeMounts: - - name: host-log-storage - mountPath: /openbao/logs - - name: logrotate-config-volume - mountPath: /etc/logrotate.conf - subPath: logrotate.conf - readOnly: true - - name: status - mountPath: /var/lib - - name: passwd-volume - mountPath: /etc/passwd - subPath: passwd - name: sidecar image: alpine:latest command: ["/bin/sh", "/tmp/start.sh"] From 7e2243d52da9108c560b162ea1f457c80a413bc3 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 23 Apr 2025 13:59:30 +0200 Subject: [PATCH 135/153] test to ds --- .../create-logging-directory.yaml | 27 ++++++++++++++----- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml index 61f45ef..06321f9 100644 --- a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml +++ b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml @@ -12,7 +12,26 @@ spec: labels: app: openbao-logging-dir spec: - initContainers: + # initContainers: + # - name: creator + # image: busybox + # command: ["/bin/sh", "-c"] + # args: + # - | + # set -e + # mkdir -p /var/log/openbao + # chown 100:100 /var/log/openbao + # securityContext: + # runAsUser: 0 + # volumeMounts: + # - name: host-log + # mountPath: /var/log + containers: + # - name: running-container + # image: busybox + # command: ["sleep", "infinity"] + # securityContext: + # runAsUser: 0 - name: creator image: busybox command: ["/bin/sh", "-c"] @@ -26,12 +45,6 @@ spec: volumeMounts: - name: host-log mountPath: /var/log - containers: - - name: running-container - image: busybox - command: ["sleep", "infinity"] - securityContext: - runAsUser: 0 volumes: - name: host-log hostPath: From 596a234192bf24ad18fe607f9b0f26aefff34c08 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 23 Apr 2025 14:15:44 +0200 Subject: [PATCH 136/153] test --- .../create-logging-directory.yaml | 19 ------------------- .../openbao-logging/logrotate-configmap.yaml | 2 +- .../openbao-logging/logrotate-cronjob.yaml | 2 +- .../ref-implementation/openbao/values.yaml | 6 +++--- 4 files changed, 5 insertions(+), 24 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml index 06321f9..7b2aa6d 100644 --- a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml +++ b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml @@ -12,26 +12,7 @@ spec: labels: app: openbao-logging-dir spec: - # initContainers: - # - name: creator - # image: busybox - # command: ["/bin/sh", "-c"] - # args: - # - | - # set -e - # mkdir -p /var/log/openbao - # chown 100:100 /var/log/openbao - # securityContext: - # runAsUser: 0 - # volumeMounts: - # - name: host-log - # mountPath: /var/log containers: - # - name: running-container - # image: busybox - # command: ["sleep", "infinity"] - # securityContext: - # runAsUser: 0 - name: creator image: busybox command: ["/bin/sh", "-c"] diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml index b8f9d1a..807387b 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml @@ -5,7 +5,7 @@ metadata: data: logrotate.conf: | /openbao/logs/openbao/*.log { - size 50M + size 1M rotate 7 missingok notifempty diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml index c8b80c4..755d6b9 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml @@ -4,7 +4,7 @@ metadata: name: logrotate-cronjob namespace: openbao spec: - schedule: "0 * * * *" + schedule: "*/2 * * * *" jobTemplate: spec: template: diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 18e79f6..b75b492 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -21,9 +21,9 @@ server: - name: logrotate-config-volume configMap: name: logrotate-config - - name: passwd-volume - configMap: - name: passwd-user-configmap + # - name: passwd-volume + # configMap: + # name: passwd-user-configmap - name: status emptyDir: {} - name: host-log-storage From 86fb4eefa31c1c1cb0161ac8533de1992b71d19c Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 23 Apr 2025 14:17:05 +0200 Subject: [PATCH 137/153] mistake --- .../openbao-logging/logrotate-cronjob.yaml | 6 +++--- template/stacks/ref-implementation/openbao/values.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml index 755d6b9..0cea75d 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml @@ -36,8 +36,8 @@ spec: - name: logrotate-config-volume configMap: name: logrotate-config - - name: passwd-volume - configMap: - name: passwd-user-configmap + # - name: passwd-volume + # configMap: + # name: passwd-user-configmap - name: status emptyDir: {} \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index b75b492..18e79f6 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -21,9 +21,9 @@ server: - name: logrotate-config-volume configMap: name: logrotate-config - # - name: passwd-volume - # configMap: - # name: passwd-user-configmap + - name: passwd-volume + configMap: + name: passwd-user-configmap - name: status emptyDir: {} - name: host-log-storage From feae2ff0102c517f34de3fc596ab83ed7951e7d2 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 23 Apr 2025 14:19:48 +0200 Subject: [PATCH 138/153] another mistake --- .../openbao-logging/logrotate-cronjob.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml index 0cea75d..15d76c5 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml @@ -22,9 +22,9 @@ spec: mountPath: /etc/logrotate.conf subPath: logrotate.conf readOnly: true - - name: passwd-volume - mountPath: /etc/passwd - subPath: passwd + # - name: passwd-volume + # mountPath: /etc/passwd + # subPath: passwd - name: status mountPath: /var/lib restartPolicy: OnFailure From cee7ba8ff32b2f5371ea215ac33499c7ff4c2592 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 23 Apr 2025 14:27:15 +0200 Subject: [PATCH 139/153] - name: passwd-volume mountPath: /etc/passwd subPath: passwd --- .../openbao-logging/logrotate-cronjob.yaml | 12 ++++++------ .../stacks/ref-implementation/openbao/values.yaml | 5 ----- 2 files changed, 6 insertions(+), 11 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml index 15d76c5..755d6b9 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml @@ -22,9 +22,9 @@ spec: mountPath: /etc/logrotate.conf subPath: logrotate.conf readOnly: true - # - name: passwd-volume - # mountPath: /etc/passwd - # subPath: passwd + - name: passwd-volume + mountPath: /etc/passwd + subPath: passwd - name: status mountPath: /var/lib restartPolicy: OnFailure @@ -36,8 +36,8 @@ spec: - name: logrotate-config-volume configMap: name: logrotate-config - # - name: passwd-volume - # configMap: - # name: passwd-user-configmap + - name: passwd-volume + configMap: + name: passwd-user-configmap - name: status emptyDir: {} \ No newline at end of file diff --git a/template/stacks/ref-implementation/openbao/values.yaml b/template/stacks/ref-implementation/openbao/values.yaml index 18e79f6..ffbfa43 100644 --- a/template/stacks/ref-implementation/openbao/values.yaml +++ b/template/stacks/ref-implementation/openbao/values.yaml @@ -18,14 +18,9 @@ server: mountPath: /etc/passwd subPath: passwd volumes: - - name: logrotate-config-volume - configMap: - name: logrotate-config - name: passwd-volume configMap: name: passwd-user-configmap - - name: status - emptyDir: {} - name: host-log-storage hostPath: path: /var/log From 183cec8a9d77fdd197543237b5f8e353dde5d9f4 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Wed, 23 Apr 2025 14:37:50 +0200 Subject: [PATCH 140/153] testing redis changes --- template/stacks/core/forgejo/values.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index b98bbf3..3dd820c 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -24,11 +24,14 @@ gitea: database: DB_TYPE: sqlite3 session: - PROVIDER: memory + PROVIDER: redis + PROVIDER_CONFIG: network=tcp,addr=forgejo-redis-cluster-headless.gitea.svc.cluster.local:6379 cache: - ADAPTER: memory + ADAPTER: redis + HOST: forgejo-redis-cluster-headless.gitea.svc.cluster.local:6379 queue: - TYPE: level + TYPE: redis + CONN_STR: redis://forgejo-redis-cluster-headless.gitea.svc.cluster.local:6379/0 server: DOMAIN: '{{{ .Env.DOMAIN_GITEA }}}' ROOT_URL: 'https://{{{ .Env.DOMAIN_GITEA }}}:443' From 32f084fcb62b5943adf2e3aef322de20874e5242 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 23 Apr 2025 14:40:14 +0200 Subject: [PATCH 141/153] ds renewed --- .../create-logging-directory.yaml | 21 ++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml index 7b2aa6d..0803643 100644 --- a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml +++ b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml @@ -12,7 +12,7 @@ spec: labels: app: openbao-logging-dir spec: - containers: + initContainers: - name: creator image: busybox command: ["/bin/sh", "-c"] @@ -26,6 +26,25 @@ spec: volumeMounts: - name: host-log mountPath: /var/log + containers: + - name: running-container + image: busybox + command: ["sleep", "2"] + securityContext: + runAsUser: 0 + - name: creator + image: busybox + command: ["/bin/sh", "-c"] + args: + - | + set -e + mkdir -p /var/log/openbao + chown 100:100 /var/log/openbao + securityContext: + runAsUser: 0 + volumeMounts: + - name: host-log + mountPath: /var/log volumes: - name: host-log hostPath: From 07ff00fce1c45d680e77039e7b6763e09d403dcf Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 23 Apr 2025 14:46:27 +0200 Subject: [PATCH 142/153] almost done --- .../openbao-logging/create-logging-directory.yaml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml index 0803643..20192e3 100644 --- a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml +++ b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml @@ -32,19 +32,6 @@ spec: command: ["sleep", "2"] securityContext: runAsUser: 0 - - name: creator - image: busybox - command: ["/bin/sh", "-c"] - args: - - | - set -e - mkdir -p /var/log/openbao - chown 100:100 /var/log/openbao - securityContext: - runAsUser: 0 - volumeMounts: - - name: host-log - mountPath: /var/log volumes: - name: host-log hostPath: From 7287a6cf56498ecb012cb6955ab46b6207875ae1 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Wed, 23 Apr 2025 15:03:49 +0200 Subject: [PATCH 143/153] testing redis changes --- template/stacks/core/forgejo/values.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index 3dd820c..cb378e9 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -25,13 +25,10 @@ gitea: DB_TYPE: sqlite3 session: PROVIDER: redis - PROVIDER_CONFIG: network=tcp,addr=forgejo-redis-cluster-headless.gitea.svc.cluster.local:6379 cache: ADAPTER: redis - HOST: forgejo-redis-cluster-headless.gitea.svc.cluster.local:6379 queue: TYPE: redis - CONN_STR: redis://forgejo-redis-cluster-headless.gitea.svc.cluster.local:6379/0 server: DOMAIN: '{{{ .Env.DOMAIN_GITEA }}}' ROOT_URL: 'https://{{{ .Env.DOMAIN_GITEA }}}:443' From f71729c07416f1d8caaa88c9d24e7f6b9781bb67 Mon Sep 17 00:00:00 2001 From: miwr Date: Wed, 23 Apr 2025 15:22:38 +0200 Subject: [PATCH 144/153] finals touches --- .../ref-implementation/openbao-logging/logrotate-configmap.yaml | 2 +- .../ref-implementation/openbao-logging/logrotate-cronjob.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml index 807387b..b8f9d1a 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-configmap.yaml @@ -5,7 +5,7 @@ metadata: data: logrotate.conf: | /openbao/logs/openbao/*.log { - size 1M + size 50M rotate 7 missingok notifempty diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml index 755d6b9..c8b80c4 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml @@ -4,7 +4,7 @@ metadata: name: logrotate-cronjob namespace: openbao spec: - schedule: "*/2 * * * *" + schedule: "0 * * * *" jobTemplate: spec: template: From b89cfa49fd5fa6dd6e30f8170d323de543ec2120 Mon Sep 17 00:00:00 2001 From: miwr Date: Thu, 24 Apr 2025 10:17:25 +0200 Subject: [PATCH 145/153] alloy config added --- template/stacks/monitoring/alloy/values.yaml | 21 +++++++++++++++++++ .../create-logging-directory.yaml | 4 ++-- .../openbao-logging/logrotate-cronjob.yaml | 2 ++ 3 files changed, 25 insertions(+), 2 deletions(-) diff --git a/template/stacks/monitoring/alloy/values.yaml b/template/stacks/monitoring/alloy/values.yaml index a2ac67d..44e9fdc 100644 --- a/template/stacks/monitoring/alloy/values.yaml +++ b/template/stacks/monitoring/alloy/values.yaml @@ -1,8 +1,19 @@ +controller: + volumes: + - name: host-log-storage + hostPath: + path: /var/log + type: Directory alloy: create: false name: alloy-config key: config.alloy + mounts: + - mountPath: /openbao/logs + name: host-log-storage + readOnly: true + uiPathPrefix: "/alloy" configMap: @@ -72,6 +83,16 @@ alloy: } + local.file_match "file_logs" { + path_targets = [{"__path__" = "/openbao/logs/openbao/*"}] + sync_period = "5s" + } + + loki.source.file "local_files" { + targets = local.file_match.file_logs.targets + forward_to = [loki.write.local_loki.receiver] + } + loki.source.kubernetes "all_pod_logs" { targets = discovery.relabel.pod_logs.output forward_to = [loki.write.local_loki.receiver] diff --git a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml index 20192e3..8ee41b7 100644 --- a/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml +++ b/template/stacks/ref-implementation/openbao-logging/create-logging-directory.yaml @@ -20,7 +20,7 @@ spec: - | set -e mkdir -p /var/log/openbao - chown 100:100 /var/log/openbao + chown 100:100 /var/log/openbao securityContext: runAsUser: 0 volumeMounts: @@ -29,7 +29,7 @@ spec: containers: - name: running-container image: busybox - command: ["sleep", "2"] + command: ["sleep", "infinity"] securityContext: runAsUser: 0 volumes: diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml index c8b80c4..9d1bb44 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml @@ -5,6 +5,8 @@ metadata: namespace: openbao spec: schedule: "0 * * * *" + successfulJobsHistoryLimit: 1 + failedJobsHistoryLimit: 1 jobTemplate: spec: template: From ed0d1debf4d2877f76734d76d06f9dc8434134db Mon Sep 17 00:00:00 2001 From: miwr Date: Thu, 24 Apr 2025 10:24:34 +0200 Subject: [PATCH 146/153] extra --- template/stacks/monitoring/alloy/values.yaml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/template/stacks/monitoring/alloy/values.yaml b/template/stacks/monitoring/alloy/values.yaml index 44e9fdc..db9263a 100644 --- a/template/stacks/monitoring/alloy/values.yaml +++ b/template/stacks/monitoring/alloy/values.yaml @@ -1,18 +1,20 @@ controller: volumes: - - name: host-log-storage - hostPath: - path: /var/log - type: Directory + extra: + - name: host-log-storage + hostPath: + path: /var/log + type: Directory alloy: create: false name: alloy-config key: config.alloy mounts: - - mountPath: /openbao/logs - name: host-log-storage - readOnly: true + extra: + - mountPath: /openbao/logs + name: host-log-storage + readOnly: true uiPathPrefix: "/alloy" From b0834b73ccd5355df5a697172b6e455e838f18bf Mon Sep 17 00:00:00 2001 From: miwr Date: Thu, 24 Apr 2025 10:51:32 +0200 Subject: [PATCH 147/153] */2 * * * * --- .../ref-implementation/openbao-logging/logrotate-cronjob.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml index 9d1bb44..9921116 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml @@ -4,7 +4,7 @@ metadata: name: logrotate-cronjob namespace: openbao spec: - schedule: "0 * * * *" + schedule: "*/2 * * * *" successfulJobsHistoryLimit: 1 failedJobsHistoryLimit: 1 jobTemplate: From 934d182042ea84631bd35f616d544de1e4986aa1 Mon Sep 17 00:00:00 2001 From: miwr Date: Thu, 24 Apr 2025 11:09:29 +0200 Subject: [PATCH 148/153] done --- .../ref-implementation/openbao-logging/logrotate-cronjob.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml index 9921116..9d1bb44 100644 --- a/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml +++ b/template/stacks/ref-implementation/openbao-logging/logrotate-cronjob.yaml @@ -4,7 +4,7 @@ metadata: name: logrotate-cronjob namespace: openbao spec: - schedule: "*/2 * * * *" + schedule: "0 * * * *" successfulJobsHistoryLimit: 1 failedJobsHistoryLimit: 1 jobTemplate: From 4fd88985efa27962f767ccdc6d841cc977f5089a Mon Sep 17 00:00:00 2001 From: "Franz.Germann" Date: Thu, 24 Apr 2025 15:29:34 +0000 Subject: [PATCH 149/153] template/stacks/core/forgejo.yaml aktualisiert --- template/stacks/core/forgejo.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/core/forgejo.yaml b/template/stacks/core/forgejo.yaml index a89d576..52463b3 100644 --- a/template/stacks/core/forgejo.yaml +++ b/template/stacks/core/forgejo.yaml @@ -18,7 +18,7 @@ spec: sources: - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/forgejo-helm.git path: . - targetRevision: v11.0.5-depends + targetRevision: v12.0.0-depends helm: valueFiles: - $values/stacks/core/forgejo/values.yaml From dbd391d29c135a4d12632a88df72d184fce85ab9 Mon Sep 17 00:00:00 2001 From: "Franz.Germann" Date: Thu, 24 Apr 2025 16:07:22 +0000 Subject: [PATCH 150/153] template/stacks/core/forgejo/values.yaml aktualisiert --- template/stacks/core/forgejo/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index cb378e9..4bf9a9d 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -1,5 +1,5 @@ redis-cluster: - enabled: true + enabled: false postgresql: enabled: false postgresql-ha: From d3546717c09716b12ac5a4105db9a04a7906ab60 Mon Sep 17 00:00:00 2001 From: "Franz.Germann" Date: Thu, 24 Apr 2025 16:11:58 +0000 Subject: [PATCH 151/153] template/stacks/core/forgejo/values.yaml aktualisiert --- template/stacks/core/forgejo/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index 4bf9a9d..90b01a6 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -24,11 +24,11 @@ gitea: database: DB_TYPE: sqlite3 session: - PROVIDER: redis + PROVIDER: memory cache: - ADAPTER: redis + ADAPTER: memory queue: - TYPE: redis + TYPE: level server: DOMAIN: '{{{ .Env.DOMAIN_GITEA }}}' ROOT_URL: 'https://{{{ .Env.DOMAIN_GITEA }}}:443' From f434e0680f0a2d426e78ae2ba9f806cda1681b88 Mon Sep 17 00:00:00 2001 From: "Franz.Germann" Date: Fri, 25 Apr 2025 10:54:28 +0000 Subject: [PATCH 152/153] template/stacks/core/forgejo/values.yaml aktualisiert --- template/stacks/core/forgejo/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml index 90b01a6..b98bbf3 100644 --- a/template/stacks/core/forgejo/values.yaml +++ b/template/stacks/core/forgejo/values.yaml @@ -1,5 +1,5 @@ redis-cluster: - enabled: false + enabled: true postgresql: enabled: false postgresql-ha: From 16dde9ead1855c1064f86dad8d0fe16fc68e5010 Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Fri, 25 Apr 2025 14:09:17 +0200 Subject: [PATCH 153/153] final changes --- template/stacks/core/argocd-sso/argocd-sso-config.yaml | 5 ----- template/stacks/core/forgejo-sso/forgejo-access-token.yaml | 3 --- template/stacks/core/forgejo-sso/forgejo-sso-config.yaml | 5 ----- 3 files changed, 13 deletions(-) diff --git a/template/stacks/core/argocd-sso/argocd-sso-config.yaml b/template/stacks/core/argocd-sso/argocd-sso-config.yaml index 6beca14..27160cf 100644 --- a/template/stacks/core/argocd-sso/argocd-sso-config.yaml +++ b/template/stacks/core/argocd-sso/argocd-sso-config.yaml @@ -14,11 +14,6 @@ spec: - name: push image: docker.io/library/ubuntu:22.04 env: - - name: ARGOCD_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: auth-generic-oauth-secret - key: client_secret - name: FORGEJO_USER valueFrom: secretKeyRef: diff --git a/template/stacks/core/forgejo-sso/forgejo-access-token.yaml b/template/stacks/core/forgejo-sso/forgejo-access-token.yaml index c5e56d3..215af67 100644 --- a/template/stacks/core/forgejo-sso/forgejo-access-token.yaml +++ b/template/stacks/core/forgejo-sso/forgejo-access-token.yaml @@ -15,9 +15,6 @@ spec: data: forgejo_username: "{{.FORGEJO_ACCESS_USERNAME}}" forgejo_token: "{{.FORGEJO_ACCESS_TOKEN}}" - metadata: - labels: - app.kubernetes.io/part-of: argocd data: - secretKey: FORGEJO_ACCESS_USERNAME remoteRef: diff --git a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml index bbb4178..875e348 100644 --- a/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml +++ b/template/stacks/core/forgejo-sso/forgejo-sso-config.yaml @@ -14,11 +14,6 @@ spec: - name: push image: docker.io/library/ubuntu:22.04 env: - - name: FORGEJO_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: auth-generic-oauth-secret - key: secret - name: FORGEJO_USER valueFrom: secretKeyRef: