diff --git a/.history/ref-implementation/maniek_20241112110416.yml b/.history/ref-implementation/maniek_20241112110416.yml new file mode 100644 index 0000000..e69de29 diff --git a/.history/ref-implementation/maniek_20241112110417.yml b/.history/ref-implementation/maniek_20241112110417.yml new file mode 100644 index 0000000..81ab8ad --- /dev/null +++ b/.history/ref-implementation/maniek_20241112110417.yml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: openbao + namespace: openbao +spec: + replicas: 1 + selector: + matchLabels: + app: openbao + template: + metadata: + labels: + app: openbao + spec: + containers: + - name: openbao + image: openbao/openbao:latest # Replace with the actual image + ports: + - containerPort: 8080 + +--- +apiVersion: v1 +kind: Service +metadata: + name: openbao + namespace: openbao +spec: + selector: + app: openbao + ports: + - protocol: TCP + port: 80 + targetPort: 8080 + type: ClusterIP diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112110416.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112110416.yml new file mode 100644 index 0000000..81ab8ad --- /dev/null +++ b/.history/ref-implementation/openbao/manifests/manifest_20241112110416.yml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: openbao + namespace: openbao +spec: + replicas: 1 + selector: + matchLabels: + app: openbao + template: + metadata: + labels: + app: openbao + spec: + containers: + - name: openbao + image: openbao/openbao:latest # Replace with the actual image + ports: + - containerPort: 8080 + +--- +apiVersion: v1 +kind: Service +metadata: + name: openbao + namespace: openbao +spec: + selector: + app: openbao + ports: + - protocol: TCP + port: 80 + targetPort: 8080 + type: ClusterIP diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112110859.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112110859.yml new file mode 100644 index 0000000..d68ae99 --- /dev/null +++ b/.history/ref-implementation/openbao/manifests/manifest_20241112110859.yml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: openbao + namespace: openbao +spec: + replicas: 1 + selector: + matchLabels: + app: openbao + template: + metadata: + labels: + app: openbao + spec: + containers: + - name: openbao + image: openbao/openbao:latest # Replace with the actual image + ports: + - containerPort: 8200 + +--- +apiVersion: v1 +kind: Service +metadata: + name: openbao + namespace: openbao +spec: + selector: + app: openbao + ports: + - protocol: TCP + port: 80 + targetPort: 8080 + type: ClusterIP diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112110906.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112110906.yml new file mode 100644 index 0000000..3f9ba3f --- /dev/null +++ b/.history/ref-implementation/openbao/manifests/manifest_20241112110906.yml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: openbao + namespace: openbao +spec: + replicas: 1 + selector: + matchLabels: + app: openbao + template: + metadata: + labels: + app: openbao + spec: + containers: + - name: openbao + image: openbao/openbao:latest # Replace with the actual image + ports: + - containerPort: 8200 + +--- +apiVersion: v1 +kind: Service +metadata: + name: openbao + namespace: openbao +spec: + selector: + app: openbao + ports: + - protocol: TCP + port: 80 + targetPort: 8200 + type: ClusterIP diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112110950.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112110950.yml new file mode 100644 index 0000000..9fdb23b --- /dev/null +++ b/.history/ref-implementation/openbao/manifests/manifest_20241112110950.yml @@ -0,0 +1,41 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: openbao + namespace: openbao +spec: + replicas: 1 + selector: + matchLabels: + app: openbao + template: + metadata: + labels: + app: openbao + spec: + containers: + - name: openbao + image: openbao/openbao:latest # Replace with the actual image + ports: + - containerPort: 8200 + +--- +apiVersion: v1 +kind: Service +metadata: + name: openbao + namespace: openbao +spec: + selector: + app: openbao + ports: + - protocol: TCP + port: spec: + selector: + app: openbao + ports: + - protocol: TCP + port: 80 + targetPort: 8200 + targetPort: 8200 + type: ClusterIP diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112110952.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112110952.yml new file mode 100644 index 0000000..3f9ba3f --- /dev/null +++ b/.history/ref-implementation/openbao/manifests/manifest_20241112110952.yml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: openbao + namespace: openbao +spec: + replicas: 1 + selector: + matchLabels: + app: openbao + template: + metadata: + labels: + app: openbao + spec: + containers: + - name: openbao + image: openbao/openbao:latest # Replace with the actual image + ports: + - containerPort: 8200 + +--- +apiVersion: v1 +kind: Service +metadata: + name: openbao + namespace: openbao +spec: + selector: + app: openbao + ports: + - protocol: TCP + port: 80 + targetPort: 8200 + type: ClusterIP diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112110953.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112110953.yml new file mode 100644 index 0000000..8ec577d --- /dev/null +++ b/.history/ref-implementation/openbao/manifests/manifest_20241112110953.yml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: openbao + namespace: openbao +spec: + replicas: 1 + selector: + matchLabels: + app: openbao + template: + metadata: + labels: + app: openbao + spec: + containers: + - name: openbao + image: openbao/openbao:latest # Replace with the actual image + ports: + - containerPort: 8200 + +--- +apiVersion: v1 +kind: Service +metadata: + name: openbao + namespace: openbao +spec: + selector: + app: openbao + ports: + - protocol: TCP + port: 8200 + targetPort: 8200 + type: ClusterIP diff --git a/.history/ref-implementation/openbao_20241112110613.yaml b/.history/ref-implementation/openbao_20241112110613.yaml new file mode 100644 index 0000000..0ff12a4 --- /dev/null +++ b/.history/ref-implementation/openbao_20241112110613.yaml @@ -0,0 +1,19 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: openbao + namespace: argocd +spec: + destination: + namespace: openbao + server: "https://kubernetes.default.svc" + source: + //repoURL: 'https://github.com/openbao/openbao.git' + targetRevision: main + path: "openbao" + project: default + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/.history/ref-implementation/openbao_20241112110615.yaml b/.history/ref-implementation/openbao_20241112110615.yaml new file mode 100644 index 0000000..dd920ca --- /dev/null +++ b/.history/ref-implementation/openbao_20241112110615.yaml @@ -0,0 +1,19 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: openbao + namespace: argocd +spec: + destination: + namespace: openbao + server: "https://kubernetes.default.svc" + source: + # repoURL: 'https://github.com/openbao/openbao.git' + targetRevision: main + path: "openbao" + project: default + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/.history/ref-implementation/openbao_20241112110641.yaml b/.history/ref-implementation/openbao_20241112110641.yaml new file mode 100644 index 0000000..8d19f61 --- /dev/null +++ b/.history/ref-implementation/openbao_20241112110641.yaml @@ -0,0 +1,19 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: openbao + namespace: argocd +spec: + destination: + namespace: openbao + server: "https://kubernetes.default.svc" + source: + repoURL: 'https://github.com/openbao/openbao.git' + targetRevision: main + path: "openbao" + project: default + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/.history/ref-implementation/openbao_20241112110645.yaml b/.history/ref-implementation/openbao_20241112110645.yaml new file mode 100644 index 0000000..acc1c64 --- /dev/null +++ b/.history/ref-implementation/openbao_20241112110645.yaml @@ -0,0 +1,19 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: openbao + namespace: argocd +spec: + destination: + namespace: openbao + server: "https://kubernetes.default.svc" + source: + repoURL: cnoe://keycloak/manifests + targetRevision: main + path: "openbao" + project: default + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/.history/ref-implementation/openbao_20241112110651.yaml b/.history/ref-implementation/openbao_20241112110651.yaml new file mode 100644 index 0000000..627b1fd --- /dev/null +++ b/.history/ref-implementation/openbao_20241112110651.yaml @@ -0,0 +1,19 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: openbao + namespace: argocd +spec: + destination: + namespace: openbao + server: "https://kubernetes.default.svc" + source: + repoURL: cnoe://keycloak/manifests + targetRevision: main + path: "." + project: default + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/.history/ref-implementation/openbao_20241112110747.yaml b/.history/ref-implementation/openbao_20241112110747.yaml new file mode 100644 index 0000000..e398adc --- /dev/null +++ b/.history/ref-implementation/openbao_20241112110747.yaml @@ -0,0 +1,19 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: openbao + namespace: argocd +spec: + destination: + namespace: openbao + server: "https://kubernetes.default.svc" + source: + repoURL: cnoe://keycloak/manifests + targetRevision: HEAD + path: "." + project: default + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/.history/ref-implementation/openbao_20241112110753.yaml b/.history/ref-implementation/openbao_20241112110753.yaml new file mode 100644 index 0000000..d06ab5e --- /dev/null +++ b/.history/ref-implementation/openbao_20241112110753.yaml @@ -0,0 +1,19 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: openbao + namespace: argocd +spec: + destination: + namespace: openbao + server: "https://kubernetes.default.svc" + source: + repoURL: cnoe://openbao/manifests + targetRevision: HEAD + path: "." + project: default + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/ref-implementation/openbao.yaml b/ref-implementation/openbao.yaml index 8d19f61..d06ab5e 100644 --- a/ref-implementation/openbao.yaml +++ b/ref-implementation/openbao.yaml @@ -8,9 +8,9 @@ spec: namespace: openbao server: "https://kubernetes.default.svc" source: - repoURL: 'https://github.com/openbao/openbao.git' - targetRevision: main - path: "openbao" + repoURL: cnoe://openbao/manifests + targetRevision: HEAD + path: "." project: default syncPolicy: automated: diff --git a/ref-implementation/openbao/manifests/ingress.yaml b/ref-implementation/openbao/manifests/ingress.yaml deleted file mode 100644 index abaf181..0000000 --- a/ref-implementation/openbao/manifests/ingress.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: keycloak-ingress-localhost - namespace: keycloak - annotations: - argocd.argoproj.io/sync-wave: "100" -spec: - ingressClassName: "nginx" - rules: - - host: localhost - http: - paths: - - path: /keycloak - pathType: ImplementationSpecific - backend: - service: - name: keycloak - port: - name: http - - host: cnoe.localtest.me - http: - paths: - - path: /keycloak - pathType: ImplementationSpecific - backend: - service: - name: keycloak - port: - name: http diff --git a/ref-implementation/openbao/manifests/install.yaml b/ref-implementation/openbao/manifests/install.yaml deleted file mode 100644 index ed3b799..0000000 --- a/ref-implementation/openbao/manifests/install.yaml +++ /dev/null @@ -1,164 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: keycloak ---- -apiVersion: v1 -kind: Service -metadata: - name: keycloak - labels: - app: keycloak -spec: - ports: - - name: http - port: 8080 - targetPort: 8080 - selector: - app: keycloak - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: keycloak - name: keycloak - namespace: keycloak - annotations: - argocd.argoproj.io/sync-wave: "10" -spec: - replicas: 1 - selector: - matchLabels: - app: keycloak - template: - metadata: - labels: - app: keycloak - spec: - containers: - - args: - - start-dev - env: - - name: KEYCLOAK_ADMIN - value: cnoe-admin - - name: KEYCLOAK_LOGLEVEL - value: ALL - - name: QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY - value: 'true' - envFrom: - - secretRef: - name: keycloak-config - image: quay.io/keycloak/keycloak:22.0.3 - name: keycloak - ports: - - containerPort: 8080 - name: http - readinessProbe: - httpGet: - path: /keycloak/realms/master - port: 8080 - volumeMounts: - - mountPath: /opt/keycloak/conf - name: keycloak-config - readOnly: true - volumes: - - configMap: - name: keycloak-config - name: keycloak-config ---- -apiVersion: v1 -data: - keycloak.conf: | - # Database - # The database vendor. - db=postgres - - # The username of the database user. - db-url=jdbc:postgresql://postgresql.keycloak.svc.cluster.local:5432/postgres - - # The proxy address forwarding mode if the server is behind a reverse proxy. - proxy=edge - - # hostname configuration - hostname=cnoe.localtest.me - hostname-port=8443 - http-relative-path=keycloak - - # the admin url requires its own configuration to reflect correct url - hostname-admin=cnoe.localtest.me:8443 - - hostname-debug=true - - # this should only be allowed in development. NEVER in production. - hostname-strict=false - hostname-strict-backchannel=false - - -kind: ConfigMap -metadata: - name: keycloak-config - namespace: keycloak ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: postgresql - name: postgresql - namespace: keycloak -spec: - clusterIP: None - ports: - - name: postgres - port: 5432 - selector: - app: postgresql ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - labels: - app: postgresql - name: postgresql - namespace: keycloak -spec: - replicas: 1 - selector: - matchLabels: - app: postgresql - serviceName: service-postgresql - template: - metadata: - labels: - app: postgresql - spec: - containers: - - envFrom: - - secretRef: - name: keycloak-config - image: docker.io/library/postgres:15.3-alpine3.18 - name: postgres - ports: - - containerPort: 5432 - name: postgresdb - resources: - limits: - memory: 500Mi - requests: - cpu: 100m - memory: 300Mi - volumeMounts: - - name: data - mountPath: /var/lib/postgresql/data - volumeClaimTemplates: - - metadata: - name: data - spec: - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: "500Mi" - diff --git a/ref-implementation/openbao/manifests/keycloak-config.yaml b/ref-implementation/openbao/manifests/keycloak-config.yaml deleted file mode 100644 index 4bb098e..0000000 --- a/ref-implementation/openbao/manifests/keycloak-config.yaml +++ /dev/null @@ -1,366 +0,0 @@ -# resources here are used to configure keycloak instance for SSO -apiVersion: v1 -kind: ServiceAccount -metadata: - name: keycloak-config - namespace: keycloak ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: keycloak-config - namespace: keycloak -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "create", "update", "patch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: keycloak-config - namespace: keycloak -subjects: - - kind: ServiceAccount - name: keycloak-config - namespace: keycloak -roleRef: - kind: Role - name: keycloak-config - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: keycloak-config - namespace: argocd -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: keycloak-config - namespace: argocd -subjects: - - kind: ServiceAccount - name: keycloak-config - namespace: keycloak -roleRef: - kind: Role - name: keycloak-config - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-job - namespace: keycloak -data: - client-scope-groups-payload.json: | - { - "name": "groups", - "description": "groups a user belongs to", - "attributes": { - "consent.screen.text": "Access to groups a user belongs to.", - "display.on.consent.screen": "true", - "include.in.token.scope": "true", - "gui.order": "" - }, - "type": "default", - "protocol": "openid-connect" - } - group-admin-payload.json: | - {"name":"admin"} - group-base-user-payload.json: | - {"name":"base-user"} - group-mapper-payload.json: | - { - "protocol": "openid-connect", - "protocolMapper": "oidc-group-membership-mapper", - "name": "groups", - "config": { - "claim.name": "groups", - "full.path": "false", - "id.token.claim": "true", - "access.token.claim": "true", - "userinfo.token.claim": "true" - } - } - realm-payload.json: | - {"realm":"cnoe","enabled":true} - user-password.json: | - { - "temporary": false, - "type": "password", - "value": "${USER1_PASSWORD}" - } - user-user1.json: | - { - "username": "user1", - "email": "", - "firstName": "user", - "lastName": "one", - "requiredActions": [], - "emailVerified": false, - "groups": [ - "/admin" - ], - "enabled": true - } - user-user2.json: | - { - "username": "user2", - "email": "", - "firstName": "user", - "lastName": "two", - "requiredActions": [], - "emailVerified": false, - "groups": [ - "/base-user" - ], - "enabled": true - } - argo-client-payload.json: | - { - "protocol": "openid-connect", - "clientId": "argo-workflows", - "name": "Argo Workflows Client", - "description": "Used for Argo Workflows SSO", - "publicClient": false, - "authorizationServicesEnabled": false, - "serviceAccountsEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "standardFlowEnabled": true, - "frontchannelLogout": true, - "attributes": { - "saml_idp_initiated_sso_url_name": "", - "oauth2.device.authorization.grant.enabled": false, - "oidc.ciba.grant.enabled": false - }, - "alwaysDisplayInConsole": false, - "rootUrl": "", - "baseUrl": "", - "redirectUris": [ - "https://cnoe.localtest.me:8443/argo-workflows/oauth2/callback" - ], - "webOrigins": [ - "/*" - ] - } - - backstage-client-payload.json: | - { - "protocol": "openid-connect", - "clientId": "backstage", - "name": "Backstage Client", - "description": "Used for Backstage SSO", - "publicClient": false, - "authorizationServicesEnabled": false, - "serviceAccountsEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "standardFlowEnabled": true, - "frontchannelLogout": true, - "attributes": { - "saml_idp_initiated_sso_url_name": "", - "oauth2.device.authorization.grant.enabled": false, - "oidc.ciba.grant.enabled": false - }, - "alwaysDisplayInConsole": false, - "rootUrl": "", - "baseUrl": "", - "redirectUris": [ - "https://cnoe.localtest.me:8443/api/auth/keycloak-oidc/handler/frame" - ], - "webOrigins": [ - "/*" - ] - } - ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: config - namespace: keycloak - annotations: - argocd.argoproj.io/hook: PostSync -spec: - template: - metadata: - generateName: config - spec: - serviceAccountName: keycloak-config - restartPolicy: Never - volumes: - - name: keycloak-config - secret: - secretName: keycloak-config - - name: config-payloads - configMap: - name: config-job - containers: - - name: kubectl - image: docker.io/library/ubuntu:22.04 - volumeMounts: - - name: keycloak-config - readOnly: true - mountPath: "/var/secrets/" - - name: config-payloads - readOnly: true - mountPath: "/var/config/" - command: ["/bin/bash", "-c"] - args: - - | - #! /bin/bash - - set -ex -o pipefail - - apt -qq update && apt -qq install curl jq -y - - ADMIN_PASSWORD=$(cat /var/secrets/KEYCLOAK_ADMIN_PASSWORD) - USER1_PASSWORD=$(cat /var/secrets/USER_PASSWORD) - - KEYCLOAK_URL=http://keycloak.keycloak.svc.cluster.local:8080/keycloak - - KEYCLOAK_TOKEN=$(curl -sS --fail-with-body -X POST -H "Content-Type: application/x-www-form-urlencoded" \ - --data-urlencode "username=cnoe-admin" \ - --data-urlencode "password=${ADMIN_PASSWORD}" \ - --data-urlencode "grant_type=password" \ - --data-urlencode "client_id=admin-cli" \ - ${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token | jq -e -r '.access_token') - - set +e - - curl --fail-with-body -H "Authorization: bearer ${KEYCLOAK_TOKEN}" "${KEYCLOAK_URL}/admin/realms/cnoe" &> /dev/null - if [ $? -eq 0 ]; then - exit 0 - fi - set -e - - curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/amd64/kubectl" - chmod +x kubectl - - echo "creating cnoe realm and groups" - - curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/realm-payload.json \ - ${KEYCLOAK_URL}/admin/realms - - curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/client-scope-groups-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes - - curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/group-admin-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/groups - - curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/group-base-user-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/groups - - # Create scope mapper - echo 'adding group claim to tokens' - CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - - curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/group-mapper-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes/${CLIENT_SCOPE_GROUPS_ID}/protocol-mappers/models - - echo "creating test users" - curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/user-user1.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/users - - curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/user-user2.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/users - - USER1ID=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" "${KEYCLOAK_URL}/admin/realms/cnoe/users?lastName=one" | jq -r '.[0].id') - USER2ID=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" "${KEYCLOAK_URL}/admin/realms/cnoe/users?lastName=two" | jq -r '.[0].id') - - echo "setting user passwords" - jq -r --arg pass ${USER1_PASSWORD} '.value = $pass' /var/config/user-password.json > /tmp/user-password-to-be-applied.json - - curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X PUT --data @/tmp/user-password-to-be-applied.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/users/${USER1ID}/reset-password - - curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X PUT --data @/tmp/user-password-to-be-applied.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/users/${USER2ID}/reset-password - - echo "creating Argo Workflows client" - curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/argo-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients - - CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "argo-workflows") | .id') - CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - - curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} - - ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') - - echo "creating Backstage client" - curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/backstage-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients - - CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "backstage") | .id') - - CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} - - BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') - - ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}') - - ARGOCD_SESSION_TOKEN=$(curl -k -sS http://argocd-server.argocd.svc.cluster.local:443/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token) - - echo \ - "apiVersion: v1 - kind: Secret - metadata: - name: keycloak-clients - namespace: keycloak - type: Opaque - stringData: - ARGO_WORKFLOWS_CLIENT_SECRET: ${ARGO_WORKFLOWS_CLIENT_SECRET} - ARGO_WORKFLOWS_CLIENT_ID: argo-workflows - ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN} - BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET} - BACKSTAGE_CLIENT_ID: backstage - " > /tmp/secret.yaml - - ./kubectl apply -f /tmp/secret.yaml - diff --git a/ref-implementation/openbao/manifests/manifest.yml b/ref-implementation/openbao/manifests/manifest.yml new file mode 100644 index 0000000..8ec577d --- /dev/null +++ b/ref-implementation/openbao/manifests/manifest.yml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: openbao + namespace: openbao +spec: + replicas: 1 + selector: + matchLabels: + app: openbao + template: + metadata: + labels: + app: openbao + spec: + containers: + - name: openbao + image: openbao/openbao:latest # Replace with the actual image + ports: + - containerPort: 8200 + +--- +apiVersion: v1 +kind: Service +metadata: + name: openbao + namespace: openbao +spec: + selector: + app: openbao + ports: + - protocol: TCP + port: 8200 + targetPort: 8200 + type: ClusterIP diff --git a/ref-implementation/openbao/manifests/secret-gen.yaml b/ref-implementation/openbao/manifests/secret-gen.yaml deleted file mode 100644 index f7bf8c9..0000000 --- a/ref-implementation/openbao/manifests/secret-gen.yaml +++ /dev/null @@ -1,179 +0,0 @@ -apiVersion: generators.external-secrets.io/v1alpha1 -kind: Password -metadata: - name: keycloak - namespace: keycloak -spec: - length: 36 - digits: 5 - symbols: 5 - symbolCharacters: "/-+" - noUpper: false - allowRepeat: true ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: keycloak-config - namespace: keycloak -spec: - refreshInterval: "0" - target: - name: keycloak-config - template: - metadata: - labels: - cnoe.io/cli-secret: "true" - cnoe.io/package-name: keycloak - engineVersion: v2 - data: - KEYCLOAK_ADMIN_PASSWORD: "{{.KEYCLOAK_ADMIN_PASSWORD}}" - KC_DB_USERNAME: keycloak - KC_DB_PASSWORD: "{{.KC_DB_PASSWORD}}" - POSTGRES_DB: keycloak - POSTGRES_USER: keycloak - POSTGRES_PASSWORD: "{{.KC_DB_PASSWORD}}" - USER_PASSWORD: "{{.USER_PASSWORD}}" - dataFrom: - - sourceRef: - generatorRef: - apiVersion: generators.external-secrets.io/v1alpha1 - kind: Password - name: keycloak - rewrite: - - transform: - template: "KEYCLOAK_ADMIN_PASSWORD" - - sourceRef: - generatorRef: - apiVersion: generators.external-secrets.io/v1alpha1 - kind: Password - name: keycloak - rewrite: - - transform: - template: "KC_DB_PASSWORD" - - sourceRef: - generatorRef: - apiVersion: generators.external-secrets.io/v1alpha1 - kind: Password - name: keycloak - rewrite: - - transform: - template: "USER_PASSWORD" ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: eso-store - namespace: keycloak ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: keycloak - name: eso-store -rules: - - apiGroups: [""] - resources: - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - authorization.k8s.io - resources: - - selfsubjectrulesreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: eso-store - namespace: keycloak -subjects: - - kind: ServiceAccount - name: eso-store - namespace: keycloak -roleRef: - kind: Role - name: eso-store - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: keycloak -spec: - provider: - kubernetes: - remoteNamespace: keycloak - server: - caProvider: - type: ConfigMap - name: kube-root-ca.crt - namespace: keycloak - key: ca.crt - auth: - serviceAccount: - name: eso-store - namespace: keycloak ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: eso-store - namespace: gitea ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: eso-store - namespace: gitea -rules: - - apiGroups: [""] - resources: - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - authorization.k8s.io - resources: - - selfsubjectrulesreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: eso-store - namespace: gitea -subjects: - - kind: ServiceAccount - name: eso-store - namespace: gitea -roleRef: - kind: Role - name: eso-store - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: gitea -spec: - provider: - kubernetes: - remoteNamespace: gitea - server: - caProvider: - type: ConfigMap - name: kube-root-ca.crt - namespace: gitea - key: ca.crt - auth: - serviceAccount: - name: eso-store - namespace: gitea