From 2608dde2a6030add793009dbb23eeb08bf2d28e7 Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Mon, 11 Nov 2024 14:39:55 +0100
Subject: [PATCH] openbao

---
 .../open-bao_20241111142831.yaml              |  21 +
 .../open-bao_20241111142912.yaml              |  21 +
 .../open-bao_20241111142943.yaml              |  22 ++
 .../open-bao_20241111142944.yaml              |  22 ++
 .../open-bao_20241111142947.yaml              |  21 +
 .../open-bao_20241111142957.yaml              |  21 +
 .../open-bao_20241111143101.yaml              |  21 +
 .../openbao_20241111143100.yaml               |  21 +
 .../openbao_20241111143152.yaml               |  21 +
 .../openbao_20241111143207.yaml               |  21 +
 ref-implementation/openbao.yaml               |  21 +
 .../openbao/manifests/ingress.yaml            |  30 ++
 .../openbao/manifests/install.yaml            | 164 ++++++++
 .../openbao/manifests/keycloak-config.yaml    | 366 ++++++++++++++++++
 .../openbao/manifests/secret-gen.yaml         | 179 +++++++++
 15 files changed, 972 insertions(+)
 create mode 100644 .history/ref-implementation/open-bao_20241111142831.yaml
 create mode 100644 .history/ref-implementation/open-bao_20241111142912.yaml
 create mode 100644 .history/ref-implementation/open-bao_20241111142943.yaml
 create mode 100644 .history/ref-implementation/open-bao_20241111142944.yaml
 create mode 100644 .history/ref-implementation/open-bao_20241111142947.yaml
 create mode 100644 .history/ref-implementation/open-bao_20241111142957.yaml
 create mode 100644 .history/ref-implementation/open-bao_20241111143101.yaml
 create mode 100644 .history/ref-implementation/openbao_20241111143100.yaml
 create mode 100644 .history/ref-implementation/openbao_20241111143152.yaml
 create mode 100644 .history/ref-implementation/openbao_20241111143207.yaml
 create mode 100644 ref-implementation/openbao.yaml
 create mode 100644 ref-implementation/openbao/manifests/ingress.yaml
 create mode 100644 ref-implementation/openbao/manifests/install.yaml
 create mode 100644 ref-implementation/openbao/manifests/keycloak-config.yaml
 create mode 100644 ref-implementation/openbao/manifests/secret-gen.yaml

diff --git a/.history/ref-implementation/open-bao_20241111142831.yaml b/.history/ref-implementation/open-bao_20241111142831.yaml
new file mode 100644
index 0000000..d279bc5
--- /dev/null
+++ b/.history/ref-implementation/open-bao_20241111142831.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: keycloak
+  namespace: argocd
+  labels:
+    example: ref-implementation
+spec:
+  destination:
+    namespace: keycloak
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://keycloak/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/open-bao_20241111142912.yaml b/.history/ref-implementation/open-bao_20241111142912.yaml
new file mode 100644
index 0000000..0d8f748
--- /dev/null
+++ b/.history/ref-implementation/open-bao_20241111142912.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: open-bao
+  namespace: argocd
+  labels:
+    example: ref-implementation
+spec:
+  destination:
+    namespace: keycloak
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://keycloak/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/open-bao_20241111142943.yaml b/.history/ref-implementation/open-bao_20241111142943.yaml
new file mode 100644
index 0000000..38a34a4
--- /dev/null
+++ b/.history/ref-implementation/open-bao_20241111142943.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: open-bao
+  namespace: argocd
+  labels:
+  env: dev
+    example: ref-implementation
+spec:
+  destination:
+    namespace: keycloak
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://keycloak/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/open-bao_20241111142944.yaml b/.history/ref-implementation/open-bao_20241111142944.yaml
new file mode 100644
index 0000000..7249de0
--- /dev/null
+++ b/.history/ref-implementation/open-bao_20241111142944.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: open-bao
+  namespace: argocd
+  labels:
+    env: dev
+    example: ref-implementation
+spec:
+  destination:
+    namespace: keycloak
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://keycloak/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/open-bao_20241111142947.yaml b/.history/ref-implementation/open-bao_20241111142947.yaml
new file mode 100644
index 0000000..3aa23e8
--- /dev/null
+++ b/.history/ref-implementation/open-bao_20241111142947.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: open-bao
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  destination:
+    namespace: keycloak
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://keycloak/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/open-bao_20241111142957.yaml b/.history/ref-implementation/open-bao_20241111142957.yaml
new file mode 100644
index 0000000..a557757
--- /dev/null
+++ b/.history/ref-implementation/open-bao_20241111142957.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: open-bao
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  destination:
+    namespace: open-bao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://keycloak/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/open-bao_20241111143101.yaml b/.history/ref-implementation/open-bao_20241111143101.yaml
new file mode 100644
index 0000000..a132e8d
--- /dev/null
+++ b/.history/ref-implementation/open-bao_20241111143101.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: open-bao
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  destination:
+    namespace: open-bao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://openbao/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/openbao_20241111143100.yaml b/.history/ref-implementation/openbao_20241111143100.yaml
new file mode 100644
index 0000000..a132e8d
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241111143100.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: open-bao
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  destination:
+    namespace: open-bao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://openbao/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/openbao_20241111143152.yaml b/.history/ref-implementation/openbao_20241111143152.yaml
new file mode 100644
index 0000000..aa23be6
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241111143152.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  destination:
+    namespace: open-bao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://openbao/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/openbao_20241111143207.yaml b/.history/ref-implementation/openbao_20241111143207.yaml
new file mode 100644
index 0000000..8a632d4
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241111143207.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  destination:
+    namespace: openbao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://openbao/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/ref-implementation/openbao.yaml b/ref-implementation/openbao.yaml
new file mode 100644
index 0000000..8a632d4
--- /dev/null
+++ b/ref-implementation/openbao.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  destination:
+    namespace: openbao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://openbao/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/ref-implementation/openbao/manifests/ingress.yaml b/ref-implementation/openbao/manifests/ingress.yaml
new file mode 100644
index 0000000..abaf181
--- /dev/null
+++ b/ref-implementation/openbao/manifests/ingress.yaml
@@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: keycloak-ingress-localhost
+  namespace: keycloak
+  annotations:
+    argocd.argoproj.io/sync-wave: "100"
+spec:
+  ingressClassName: "nginx"
+  rules:
+    - host: localhost
+      http:
+        paths:
+          - path: /keycloak
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: keycloak
+                port:
+                  name: http
+    - host: cnoe.localtest.me
+      http:
+        paths:
+          - path: /keycloak
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: keycloak
+                port:
+                  name: http
diff --git a/ref-implementation/openbao/manifests/install.yaml b/ref-implementation/openbao/manifests/install.yaml
new file mode 100644
index 0000000..ed3b799
--- /dev/null
+++ b/ref-implementation/openbao/manifests/install.yaml
@@ -0,0 +1,164 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: keycloak
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak
+  labels:
+    app: keycloak
+spec:
+  ports:
+    - name: http
+      port: 8080
+      targetPort: 8080
+  selector:
+    app: keycloak
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: keycloak
+  name: keycloak
+  namespace: keycloak
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: keycloak
+  template:
+    metadata:
+      labels:
+        app: keycloak
+    spec:
+      containers:
+        - args:
+            - start-dev
+          env:
+            - name: KEYCLOAK_ADMIN
+              value: cnoe-admin
+            - name: KEYCLOAK_LOGLEVEL
+              value: ALL
+            - name: QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY
+              value: 'true'
+          envFrom:
+            - secretRef:
+                name: keycloak-config
+          image: quay.io/keycloak/keycloak:22.0.3
+          name: keycloak
+          ports:
+            - containerPort: 8080
+              name: http
+          readinessProbe:
+            httpGet:
+              path: /keycloak/realms/master
+              port: 8080
+          volumeMounts:
+            - mountPath: /opt/keycloak/conf
+              name: keycloak-config
+              readOnly: true
+      volumes:
+        - configMap:
+            name: keycloak-config
+          name: keycloak-config
+---
+apiVersion: v1
+data:
+  keycloak.conf: |
+    # Database
+    # The database vendor.
+    db=postgres
+    
+    # The username of the database user.
+    db-url=jdbc:postgresql://postgresql.keycloak.svc.cluster.local:5432/postgres
+
+    # The proxy address forwarding mode if the server is behind a reverse proxy.
+    proxy=edge
+    
+    # hostname configuration
+    hostname=cnoe.localtest.me
+    hostname-port=8443
+    http-relative-path=keycloak
+    
+    # the admin url requires its own configuration to reflect correct url
+    hostname-admin=cnoe.localtest.me:8443
+    
+    hostname-debug=true
+    
+    # this should only be allowed in development. NEVER in production.
+    hostname-strict=false
+    hostname-strict-backchannel=false
+    
+
+kind: ConfigMap
+metadata:
+  name: keycloak-config
+  namespace: keycloak
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: postgresql
+  name: postgresql
+  namespace: keycloak
+spec:
+  clusterIP: None
+  ports:
+    - name: postgres
+      port: 5432
+  selector:
+    app: postgresql
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    app: postgresql
+  name: postgresql
+  namespace: keycloak
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgresql
+  serviceName: service-postgresql
+  template:
+    metadata:
+      labels:
+        app: postgresql
+    spec:
+      containers:
+        - envFrom:
+            - secretRef:
+                name: keycloak-config
+          image: docker.io/library/postgres:15.3-alpine3.18
+          name: postgres
+          ports:
+            - containerPort: 5432
+              name: postgresdb
+          resources:
+            limits:
+              memory: 500Mi
+            requests:
+              cpu: 100m
+              memory: 300Mi
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: "500Mi"
+
diff --git a/ref-implementation/openbao/manifests/keycloak-config.yaml b/ref-implementation/openbao/manifests/keycloak-config.yaml
new file mode 100644
index 0000000..4bb098e
--- /dev/null
+++ b/ref-implementation/openbao/manifests/keycloak-config.yaml
@@ -0,0 +1,366 @@
+# resources here are used to configure keycloak instance for SSO
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: keycloak-config
+  namespace: keycloak
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: keycloak-config
+  namespace: keycloak
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "create", "update", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: keycloak-config
+  namespace: keycloak
+subjects:
+  - kind: ServiceAccount
+    name: keycloak-config
+    namespace: keycloak
+roleRef:
+  kind: Role
+  name: keycloak-config
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: keycloak-config
+  namespace: argocd
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: keycloak-config
+  namespace: argocd
+subjects:
+  - kind: ServiceAccount
+    name: keycloak-config
+    namespace: keycloak
+roleRef:
+  kind: Role
+  name: keycloak-config
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-job
+  namespace: keycloak
+data:
+  client-scope-groups-payload.json: |
+    {
+      "name": "groups",
+      "description": "groups a user belongs to",
+      "attributes": {
+          "consent.screen.text": "Access to groups a user belongs to.",
+          "display.on.consent.screen": "true",
+          "include.in.token.scope": "true",
+          "gui.order": ""
+      },
+      "type": "default",
+      "protocol": "openid-connect"
+    }
+  group-admin-payload.json: |
+    {"name":"admin"}
+  group-base-user-payload.json: |
+    {"name":"base-user"}
+  group-mapper-payload.json: |
+    {
+        "protocol": "openid-connect",
+        "protocolMapper": "oidc-group-membership-mapper",
+        "name": "groups",
+        "config": {
+          "claim.name": "groups",
+          "full.path": "false",
+          "id.token.claim": "true",
+          "access.token.claim": "true",
+          "userinfo.token.claim": "true"
+        }
+    }
+  realm-payload.json: |
+    {"realm":"cnoe","enabled":true}
+  user-password.json: |
+    {
+        "temporary": false,
+        "type": "password",
+        "value": "${USER1_PASSWORD}"
+    }
+  user-user1.json: |
+    {
+        "username": "user1",
+        "email": "",
+        "firstName": "user",
+        "lastName": "one",
+        "requiredActions": [],
+        "emailVerified": false,
+        "groups": [
+          "/admin"
+        ],
+        "enabled": true
+    }
+  user-user2.json: |
+    {
+        "username": "user2",
+        "email": "",
+        "firstName": "user",
+        "lastName": "two",
+        "requiredActions": [],
+        "emailVerified": false,
+        "groups": [
+          "/base-user"
+        ],
+        "enabled": true
+    }
+  argo-client-payload.json: |
+    {
+      "protocol": "openid-connect",
+      "clientId": "argo-workflows",
+      "name": "Argo Workflows Client",
+      "description": "Used for Argo Workflows SSO",
+      "publicClient": false,
+      "authorizationServicesEnabled": false,
+      "serviceAccountsEnabled": false,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "standardFlowEnabled": true,
+      "frontchannelLogout": true,
+      "attributes": {
+        "saml_idp_initiated_sso_url_name": "",
+        "oauth2.device.authorization.grant.enabled": false,
+        "oidc.ciba.grant.enabled": false
+      },
+      "alwaysDisplayInConsole": false,
+      "rootUrl": "",
+      "baseUrl": "",
+      "redirectUris": [
+        "https://cnoe.localtest.me:8443/argo-workflows/oauth2/callback"
+      ],
+      "webOrigins": [
+        "/*"
+      ]
+    }
+
+  backstage-client-payload.json: |
+    {
+      "protocol": "openid-connect",
+      "clientId": "backstage",
+      "name": "Backstage Client",
+      "description": "Used for Backstage SSO",
+      "publicClient": false,
+      "authorizationServicesEnabled": false,
+      "serviceAccountsEnabled": false,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "standardFlowEnabled": true,
+      "frontchannelLogout": true,
+      "attributes": {
+        "saml_idp_initiated_sso_url_name": "",
+        "oauth2.device.authorization.grant.enabled": false,
+        "oidc.ciba.grant.enabled": false
+      },
+      "alwaysDisplayInConsole": false,
+      "rootUrl": "",
+      "baseUrl": "",
+      "redirectUris": [
+        "https://cnoe.localtest.me:8443/api/auth/keycloak-oidc/handler/frame"
+      ],
+      "webOrigins": [
+        "/*"
+      ]
+    }
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: config
+  namespace: keycloak
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+spec:
+  template:
+    metadata:
+      generateName: config
+    spec:
+      serviceAccountName: keycloak-config
+      restartPolicy: Never
+      volumes:
+        - name: keycloak-config
+          secret:
+            secretName: keycloak-config
+        - name: config-payloads
+          configMap:
+            name: config-job
+      containers:
+        - name: kubectl
+          image: docker.io/library/ubuntu:22.04
+          volumeMounts:
+            - name: keycloak-config
+              readOnly: true
+              mountPath: "/var/secrets/"
+            - name: config-payloads
+              readOnly: true
+              mountPath: "/var/config/"
+          command: ["/bin/bash", "-c"]
+          args:
+            - |
+              #! /bin/bash
+  
+              set -ex -o pipefail
+              
+              apt -qq update && apt -qq install curl jq -y
+              
+              ADMIN_PASSWORD=$(cat /var/secrets/KEYCLOAK_ADMIN_PASSWORD)
+              USER1_PASSWORD=$(cat /var/secrets/USER_PASSWORD)
+
+              KEYCLOAK_URL=http://keycloak.keycloak.svc.cluster.local:8080/keycloak
+
+              KEYCLOAK_TOKEN=$(curl -sS  --fail-with-body -X POST -H "Content-Type: application/x-www-form-urlencoded" \
+                --data-urlencode "username=cnoe-admin" \
+                --data-urlencode "password=${ADMIN_PASSWORD}" \
+                --data-urlencode "grant_type=password" \
+                --data-urlencode "client_id=admin-cli" \
+                ${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token | jq -e -r '.access_token')
+                
+              set +e
+              
+              curl --fail-with-body -H "Authorization: bearer ${KEYCLOAK_TOKEN}"  "${KEYCLOAK_URL}/admin/realms/cnoe"  &> /dev/null
+              if [ $? -eq 0 ]; then
+                exit 0
+              fi
+              set -e
+              
+              curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/amd64/kubectl"
+              chmod +x kubectl
+              
+              echo "creating cnoe realm and groups"
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/realm-payload.json \
+                ${KEYCLOAK_URL}/admin/realms
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/client-scope-groups-payload.json \
+                ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/group-admin-payload.json \
+                ${KEYCLOAK_URL}/admin/realms/cnoe/groups
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/group-base-user-payload.json \
+                ${KEYCLOAK_URL}/admin/realms/cnoe/groups
+              
+              # Create scope mapper
+                echo 'adding group claim to tokens'
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/group-mapper-payload.json \
+                ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes/${CLIENT_SCOPE_GROUPS_ID}/protocol-mappers/models
+                
+              echo "creating test users"
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/user-user1.json \
+                ${KEYCLOAK_URL}/admin/realms/cnoe/users
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/user-user2.json \
+                ${KEYCLOAK_URL}/admin/realms/cnoe/users
+              
+              USER1ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" "${KEYCLOAK_URL}/admin/realms/cnoe/users?lastName=one" | jq -r '.[0].id')
+              USER2ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" "${KEYCLOAK_URL}/admin/realms/cnoe/users?lastName=two" | jq -r '.[0].id')
+              
+              echo "setting user passwords"
+              jq -r --arg pass ${USER1_PASSWORD}  '.value = $pass' /var/config/user-password.json > /tmp/user-password-to-be-applied.json
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X PUT --data @/tmp/user-password-to-be-applied.json \
+                ${KEYCLOAK_URL}/admin/realms/cnoe/users/${USER1ID}/reset-password
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X PUT --data @/tmp/user-password-to-be-applied.json \
+                ${KEYCLOAK_URL}/admin/realms/cnoe/users/${USER2ID}/reset-password
+            
+              echo "creating Argo Workflows client"
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                  -X POST --data @/var/config/argo-client-payload.json \
+                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+              
+              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "argo-workflows") | .id')
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+              
+              ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
+              -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+              -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
+              
+              echo "creating Backstage client"
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/backstage-client-payload.json \
+                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+              
+              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "backstage") | .id')
+              
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+              
+              BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
+              
+              ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
+              
+              ARGOCD_SESSION_TOKEN=$(curl -k -sS http://argocd-server.argocd.svc.cluster.local:443/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
+              
+              echo \
+              "apiVersion: v1
+              kind: Secret
+              metadata:
+                name: keycloak-clients
+                namespace: keycloak
+              type: Opaque
+              stringData:
+                ARGO_WORKFLOWS_CLIENT_SECRET: ${ARGO_WORKFLOWS_CLIENT_SECRET}
+                ARGO_WORKFLOWS_CLIENT_ID: argo-workflows
+                ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN}
+                BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET}
+                BACKSTAGE_CLIENT_ID: backstage
+              " > /tmp/secret.yaml
+              
+              ./kubectl apply -f /tmp/secret.yaml
+              
diff --git a/ref-implementation/openbao/manifests/secret-gen.yaml b/ref-implementation/openbao/manifests/secret-gen.yaml
new file mode 100644
index 0000000..f7bf8c9
--- /dev/null
+++ b/ref-implementation/openbao/manifests/secret-gen.yaml
@@ -0,0 +1,179 @@
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: Password
+metadata:
+  name: keycloak
+  namespace: keycloak
+spec:
+  length: 36
+  digits: 5
+  symbols: 5
+  symbolCharacters: "/-+"
+  noUpper: false
+  allowRepeat: true
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: keycloak-config
+  namespace: keycloak
+spec:
+  refreshInterval: "0"
+  target:
+    name: keycloak-config
+    template:
+      metadata:
+        labels:
+          cnoe.io/cli-secret: "true"
+          cnoe.io/package-name: keycloak
+      engineVersion: v2
+      data:
+        KEYCLOAK_ADMIN_PASSWORD: "{{.KEYCLOAK_ADMIN_PASSWORD}}"
+        KC_DB_USERNAME: keycloak
+        KC_DB_PASSWORD: "{{.KC_DB_PASSWORD}}"
+        POSTGRES_DB: keycloak
+        POSTGRES_USER: keycloak
+        POSTGRES_PASSWORD: "{{.KC_DB_PASSWORD}}"
+        USER_PASSWORD: "{{.USER_PASSWORD}}"
+  dataFrom:
+    - sourceRef:
+        generatorRef:
+          apiVersion: generators.external-secrets.io/v1alpha1
+          kind: Password
+          name: keycloak
+      rewrite:
+        - transform:
+            template: "KEYCLOAK_ADMIN_PASSWORD"
+    - sourceRef:
+        generatorRef:
+          apiVersion: generators.external-secrets.io/v1alpha1
+          kind: Password
+          name: keycloak
+      rewrite:
+        - transform:
+            template: "KC_DB_PASSWORD"
+    - sourceRef:
+        generatorRef:
+          apiVersion: generators.external-secrets.io/v1alpha1
+          kind: Password
+          name: keycloak
+      rewrite:
+        - transform:
+            template: "USER_PASSWORD"
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: eso-store
+  namespace: keycloak
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: keycloak
+  name: eso-store
+rules:
+  - apiGroups: [""]
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - selfsubjectrulesreviews
+    verbs:
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: eso-store
+  namespace: keycloak
+subjects:
+  - kind: ServiceAccount
+    name: eso-store
+    namespace: keycloak
+roleRef:
+  kind: Role
+  name: eso-store
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: keycloak
+spec:
+  provider:
+    kubernetes:
+      remoteNamespace: keycloak
+      server:
+        caProvider:
+          type: ConfigMap
+          name: kube-root-ca.crt
+          namespace: keycloak
+          key: ca.crt
+      auth:
+        serviceAccount:
+          name: eso-store
+          namespace: keycloak
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: eso-store
+  namespace: gitea
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: eso-store
+  namespace: gitea
+rules:
+  - apiGroups: [""]
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - selfsubjectrulesreviews
+    verbs:
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: eso-store
+  namespace: gitea
+subjects:
+  - kind: ServiceAccount
+    name: eso-store
+    namespace: gitea
+roleRef:
+  kind: Role
+  name: eso-store
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: gitea
+spec:
+  provider:
+    kubernetes:
+      remoteNamespace: gitea
+      server:
+        caProvider:
+          type: ConfigMap
+          name: kube-root-ca.crt
+          namespace: gitea
+          key: ca.crt
+      auth:
+        serviceAccount:
+          name: eso-store
+          namespace: gitea