wip

ref/packages/argo-workflows-old/manifests/base/kustomization.yaml

@@ -1,2 +0,0 @@
-resources:
-  - install.yaml

ref/packages/argo-workflows-old/manifests/dev/external-secret.yaml

@@ -1,20 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: keycloak-oidc
-  namespace: argo
-spec:
-  secretStoreRef:
-    name: keycloak
-    kind: ClusterSecretStore
-  target:
-    name: keycloak-oidc
-  data:
-    - secretKey: client-id
-      remoteRef:
-        key: keycloak-clients
-        property: ARGO_WORKFLOWS_CLIENT_ID
-    - secretKey: secret-key
-      remoteRef:
-        key: keycloak-clients
-        property: ARGO_WORKFLOWS_CLIENT_SECRET

ref/packages/argo-workflows-old/manifests/dev/ingress.yaml

@@ -1,31 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: argo-workflows-ingress
-  namespace: argo
-  annotations:
-    nginx.ingress.kubernetes.io/use-regex: "true"
-    nginx.ingress.kubernetes.io/rewrite-target: /$2
-spec:
-  ingressClassName: "nginx"
-  rules:
-    - host: localhost
-      http:
-        paths:
-          - path: /argo-workflows(/|$)(.*)
-            pathType: ImplementationSpecific
-            backend:
-              service:
-                name: argo-server
-                port:
-                  name: web
-    - host: cnoe.localtest.me
-      http:
-        paths:
-          - path: /argo-workflows(/|$)(.*)
-            pathType: ImplementationSpecific
-            backend:
-              service:
-                name: argo-server
-                port:
-                  name: web

ref/packages/argo-workflows-old/manifests/dev/kustomization.yaml

@@ -1,8 +0,0 @@
-resources:
-  - ../base
-  - external-secret.yaml
-  - ingress.yaml
-  - sa-admin.yaml
-patches:
-  - path: patches/cm-argo-workflows.yaml
-  - path: patches/deployment-argo-server.yaml

ref/packages/argo-workflows-old/manifests/dev/patches/cm-argo-workflows.yaml

@@ -1,26 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: workflow-controller-configmap
-  namespace: argo
-data:
-  config: |
-    sso:
-      insecureSkipVerify: true 
-      issuer: https://cnoe.localtest.me:8443/keycloak/realms/cnoe
-      clientId:
-        name: keycloak-oidc
-        key: client-id
-      clientSecret:
-        name: keycloak-oidc
-        key: secret-key
-      redirectUrl: https://cnoe.localtest.me:8443/argo-workflows/oauth2/callback
-      rbac:
-        enabled: true
-      scopes:
-        - openid
-        - profile
-        - email
-        - groups
-    nodeEvents:
-      enabled: false

ref/packages/argo-workflows-old/manifests/dev/patches/deployment-argo-server.yaml

@@ -1,30 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: argo-server
-  namespace: argo
-  annotations:
-    argocd.argoproj.io/sync-wave: "20"
-spec:
-  template:
-    spec:
-      containers:
-        - name: argo-server
-          readinessProbe:
-            httpGet:
-              path: /
-              port: 2746
-              scheme: HTTP
-          env:
-            - name: BASE_HREF
-              value: "/argo-workflows/"
-          args:
-            - server
-            - --configmap=workflow-controller-configmap
-            - --auth-mode=client
-            - --auth-mode=sso
-            - "--secure=false"
-            - "--loglevel"
-            - "info"
-            - "--log-format"
-            - "text"

ref/packages/argo-workflows-old/manifests/dev/sa-admin.yaml

@@ -1,32 +0,0 @@
-# Used by users in the admin group
-# TODO Need to tighten up permissions.
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: admin
-  namespace: argo
-  annotations:
-    workflows.argoproj.io/rbac-rule: "'admin' in groups"
-    workflows.argoproj.io/rbac-rule-precedence: "10"
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: argo-admin
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: admin
-    namespace: argo
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: admin.service-account-token
-  annotations:
-    kubernetes.io/service-account.name: admin
-  namespace: argo
-type: kubernetes.io/service-account-token

ref/packages/back/manifests/argocd-secrets.yaml

@@ -1,77 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: eso-store
-  namespace: argocd
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: eso-store
-  namespace: argocd
-rules:
-  - apiGroups: [""]
-    resources:
-      - secrets
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - authorization.k8s.io
-    resources:
-      - selfsubjectrulesreviews
-    verbs:
-      - create
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: eso-store
-  namespace: argocd
-subjects:
-  - kind: ServiceAccount
-    name: eso-store
-    namespace: argocd
-roleRef:
-  kind: Role
-  name: eso-store
-  apiGroup: rbac.authorization.k8s.io
----
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
-  name: argocd
-spec:
-  provider:
-    kubernetes:
-      remoteNamespace: argocd
-      server:
-        caProvider:
-          type: ConfigMap
-          name: kube-root-ca.crt
-          namespace: argocd
-          key: ca.crt
-      auth:
-        serviceAccount:
-          name: eso-store
-          namespace: argocd
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: argocd-credentials
-  namespace: backstage
-spec:
-  secretStoreRef:
-    name: argocd
-    kind: ClusterSecretStore
-  refreshInterval: "0"
-  target:
-    name: argocd-credentials
-  data:
-    - secretKey: ARGOCD_ADMIN_PASSWORD
-      remoteRef:
-        key: argocd-initial-admin-secret
-        property: password

ref/packages/back/manifests/install.yaml

@@ -1,459 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: backstage
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: backstage
-  namespace: backstage
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: backstage-argo-worfklows
-rules:
-  - apiGroups:
-      - argoproj.io
-    resources:
-      - workflows
-    verbs:
-      - create
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: read-all
-rules:
-  - apiGroups:
-      - '*'
-    resources:
-      - '*'
-    verbs:
-      - get
-      - list
-      - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: backstage-argo-worfklows
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: backstage-argo-worfklows
-subjects:
-  - kind: ServiceAccount
-    name: backstage
-    namespace: backstage
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: backstage-read-all
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: read-all
-subjects:
-  - kind: ServiceAccount
-    name: backstage
-    namespace: backstage
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: backstage-config
-  namespace: backstage
-data:
-  app-config.yaml: |
-    app:
-      title: CNOE Backstage
-      baseUrl: https://cnoe.localtest.me:8443
-    organization:
-      name: CNOE
-    backend:
-      # Used for enabling authentication, secret is shared by all backend plugins
-      # See https://backstage.io/docs/tutorials/backend-to-backend-auth for
-      # information on the format
-      # auth:
-      #   keys:
-      #     - secret: ${BACKEND_SECRET}
-      baseUrl: https://cnoe.localtest.me:8443
-      listen:
-        port: 7007
-        # Uncomment the following host directive to bind to specific interfaces
-        # host: 127.0.0.1
-      csp:
-        connect-src: ["'self'", 'http:', 'https:']
-        # Content-Security-Policy directives follow the Helmet format: https://helmetjs.github.io/#reference
-        # Default Helmet Content-Security-Policy values can be removed by setting the key to false
-      cors:
-        origin: https://cnoe.localtest.me:8443
-        methods: [GET, HEAD, PATCH, POST, PUT, DELETE]
-        credentials: true
-      database:
-        client: pg
-        connection:
-          host: ${POSTGRES_HOST}
-          port: ${POSTGRES_PORT}
-          user: ${POSTGRES_USER}
-          password: ${POSTGRES_PASSWORD}
-      cache:
-        store: memory
-      # workingDirectory: /tmp # Use this to configure a working directory for the scaffolder, defaults to the OS temp-dir
-
-    integrations:
-      gitea:
-        - baseUrl: https://cnoe.localtest.me:8443/gitea
-          host: cnoe.localtest.me:8443
-          username: ${GITEA_USERNAME}
-          password: ${GITEA_PASSWORD}
-        - baseUrl: https://cnoe.localtest.me/gitea
-          host: cnoe.localtest.me
-          username: ${GITEA_USERNAME}
-          password: ${GITEA_PASSWORD}
-    #  github:
-    #    - host: github.com
-    #      apps:
-    #        - $include: github-integration.yaml
-    #    - host: github.com
-    #      # This is a Personal Access Token or PAT from GitHub. You can find out how to generate this token, and more information
-    #      # about setting up the GitHub integration here: https://backstage.io/docs/getting-started/configuration#setting-up-a-github-integration
-    #      token: ${GITHUB_TOKEN}
-        ### Example for how to add your GitHub Enterprise instance using the API:
-        # - host: ghe.example.net
-        #   apiBaseUrl: https://ghe.example.net/api/v3
-        #   token: ${GHE_TOKEN}
-
-    # Reference documentation http://backstage.io/docs/features/techdocs/configuration
-    # Note: After experimenting with basic setup, use CI/CD to generate docs
-    # and an external cloud storage when deploying TechDocs for production use-case.
-    # https://backstage.io/docs/features/techdocs/how-to-guides#how-to-migrate-from-techdocs-basic-to-recommended-deployment-approach
-    techdocs:
-      builder: 'local' # Alternatives - 'external'
-      generator:
-        runIn: 'docker' # Alternatives - 'local'
-      publisher:
-        type: 'local' # Alternatives - 'googleGcs' or 'awsS3'. Read documentation for using alternatives.
-
-    auth:
-      environment: development
-      session:
-        secret: MW2sV-sIPngEl26vAzatV-6VqfsgAx4bPIz7PuE_2Lk=
-      providers:
-        keycloak-oidc:
-          development:
-            metadataUrl: ${KEYCLOAK_NAME_METADATA}
-            clientId: backstage
-            clientSecret: ${KEYCLOAK_CLIENT_SECRET}
-            scope: 'openid profile email groups'
-            prompt: auto
-
-    scaffolder:
-      # see https://backstage.io/docs/features/software-templates/configuration for software template options
-        defaultAuthor:
-          name: backstage-scaffolder
-          email: noreply
-        defaultCommitMessage: "backstage scaffolder"
-    catalog:
-      import:
-        entityFilename: catalog-info.yaml
-        pullRequestBranchName: backstage-integration
-      rules:
-        - allow: [Component, System, API, Resource, Location, Template]
-      locations:
-        # Examples from a public GitHub repository.
-        - type: url
-          target: https://cnoe.localtest.me:8443/gitea/giteaAdmin/idpbuilder-localdev-ref-impl-packages/raw/branch/main/backstage-templates/entities/catalog-info.yaml
-        ## Uncomment these lines to add an example org
-        # - type: url
-        #   target: https://github.com/backstage/backstage/blob/master/packages/catalog-model/examples/acme-corp.yaml
-        #   rules:
-        #     - allow: [User, Group]
-    kubernetes:
-      serviceLocatorMethod:
-        type: 'multiTenant'
-      clusterLocatorMethods:
-        - $include: k8s-config.yaml
-    argocd:
-      username: admin
-      password: ${ARGOCD_ADMIN_PASSWORD}
-      appLocatorMethods:
-        - type: 'config'
-          instances:
-            - name: in-cluster
-              url: https://cnoe.localtest.me:8443/argocd
-              username: admin
-              password: ${ARGOCD_ADMIN_PASSWORD}
-    argoWorkflows:
-        baseUrl: ${ARGO_WORKFLOWS_URL}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: k8s-config
-  namespace: backstage
-stringData:
-  k8s-config.yaml: "type: 'config'\nclusters:\n  - url: https://kubernetes.default.svc.cluster.local\n
-    \   name: local\n    authProvider: 'serviceAccount'\n    skipTLSVerify: true\n
-    \   skipMetricsLookup: true\n    serviceAccountToken: \n      $file: /var/run/secrets/kubernetes.io/serviceaccount/token\n
-    \   caData: \n      $file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt\n"
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: backstage
-  namespace: backstage
-spec:
-  ports:
-    - name: http
-      port: 7007
-      targetPort: http
-  selector:
-    app: backstage
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: postgresql
-  name: postgresql
-  namespace: backstage
-spec:
-  clusterIP: None
-  ports:
-    - name: postgres
-      port: 5432
-  selector:
-    app: postgresql
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: backstage
-  namespace: backstage
-  annotations:
-    argocd.argoproj.io/sync-wave: "20"
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: backstage
-  template:
-    metadata:
-      labels:
-        app: backstage
-    spec:
-      containers:
-        - command:
-            - node
-            - packages/backend
-            - --config
-            - config/app-config.yaml
-          env:
-            - name: LOG_LEVEL
-              value: debug
-            - name: NODE_TLS_REJECT_UNAUTHORIZED
-              value: "0"
-          envFrom:
-            - secretRef:
-                name: backstage-env-vars
-            - secretRef:
-                name: gitea-credentials
-            - secretRef:
-                name: argocd-credentials
-          image: public.ecr.aws/cnoe-io/backstage:rc1
-          name: backstage
-          ports:
-            - containerPort: 7007
-              name: http
-          volumeMounts:
-            - mountPath: /app/config
-              name: backstage-config
-              readOnly: true
-      serviceAccountName: backstage
-      volumes:
-        - name: backstage-config
-          projected:
-            sources:
-              - configMap:
-                  items:
-                    - key: app-config.yaml
-                      path: app-config.yaml
-                  name: backstage-config
-              - secret:
-                  items:
-                    - key: k8s-config.yaml
-                      path: k8s-config.yaml
-                  name: k8s-config
----
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  labels:
-    app: postgresql
-  name: postgresql
-  namespace: backstage
-  annotations:
-    argocd.argoproj.io/sync-wave: "10"
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: postgresql
-  serviceName: service-postgresql
-  template:
-    metadata:
-      labels:
-        app: postgresql
-    spec:
-      containers:
-        - env:
-            - name: POSTGRES_DB
-              valueFrom:
-                secretKeyRef:
-                  name: backstage-env-vars
-                  key: POSTGRES_DB
-            - name: POSTGRES_USER
-              valueFrom:
-                secretKeyRef:
-                  name: backstage-env-vars
-                  key: POSTGRES_USER
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: backstage-env-vars
-                  key: POSTGRES_PASSWORD
-          image: docker.io/library/postgres:15.3-alpine3.18
-          name: postgres
-          ports:
-            - containerPort: 5432
-              name: postgresdb
-          resources:
-            limits:
-              memory: 500Mi
-            requests:
-              cpu: 100m
-              memory: 300Mi
-          volumeMounts:
-            - name: data
-              mountPath: /var/lib/postgresql/data
-  volumeClaimTemplates:
-  - metadata:
-      name: data
-    spec:
-      accessModes: ["ReadWriteOnce"]
-      resources:
-        requests:
-          storage: "500Mi"
----
-apiVersion: generators.external-secrets.io/v1alpha1
-kind: Password
-metadata:
-  name: backstage
-  namespace: backstage
-spec:
-  length: 36
-  digits: 5
-  symbols: 5
-  symbolCharacters: "/-+"
-  noUpper: false
-  allowRepeat: true
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: backstage-oidc
-  namespace: backstage
-spec:
-  secretStoreRef:
-    name: keycloak
-    kind: ClusterSecretStore
-  refreshInterval: "0"
-  target:
-    name: backstage-env-vars
-    template:
-      engineVersion: v2
-      data:
-        BACKSTAGE_FRONTEND_URL: https://cnoe.localtest.me:8443/backstage
-        POSTGRES_HOST: postgresql.backstage.svc.cluster.local
-        POSTGRES_PORT: '5432'
-        POSTGRES_DB: backstage
-        POSTGRES_USER: backstage
-        POSTGRES_PASSWORD: "{{.POSTGRES_PASSWORD}}"
-        ARGO_WORKFLOWS_URL: https://cnoe.localtest.me:8443/argo-workflows
-        KEYCLOAK_NAME_METADATA: https://cnoe.localtest.me:8443/keycloak/realms/cnoe/.well-known/openid-configuration
-        KEYCLOAK_CLIENT_SECRET: "{{.BACKSTAGE_CLIENT_SECRET}}"
-        ARGOCD_AUTH_TOKEN: "argocd.token={{.ARGOCD_SESSION_TOKEN}}"
-        ARGO_CD_URL: 'https://argocd-server.argocd.svc.cluster.local/api/v1/'
-  data:
-    - secretKey: ARGOCD_SESSION_TOKEN
-      remoteRef:
-        key: keycloak-clients
-        property: ARGOCD_SESSION_TOKEN
-    - secretKey: BACKSTAGE_CLIENT_SECRET
-      remoteRef:
-        key: keycloak-clients
-        property: BACKSTAGE_CLIENT_SECRET
-  dataFrom:
-    - sourceRef:
-        generatorRef:
-          apiVersion: generators.external-secrets.io/v1alpha1
-          kind: Password
-          name: backstage
-      rewrite:
-        - transform:
-            template: "POSTGRES_PASSWORD"
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: gitea-credentials
-  namespace: backstage
-spec:
-  secretStoreRef:
-    name: gitea
-    kind: ClusterSecretStore
-  refreshInterval: "0"
-  target:
-    name: gitea-credentials
-  data:
-    - secretKey: GITEA_USERNAME
-      remoteRef:
-        key: gitea-credential
-        property: username
-    - secretKey: GITEA_PASSWORD
-      remoteRef:
-        key: gitea-credential
-        property: password
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: backstage
-  namespace: backstage
-spec:
-  ingressClassName: "nginx"
-  rules:
-    - host: localhost
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: backstage
-                port:
-                  name: http
-    - host: cnoe.localtest.me
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: backstage
-                port:
-                  name: http

ref/packages/keycloak-old/manifests/ingress.yaml

@@ -1,30 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: keycloak-ingress-localhost
-  namespace: keycloak
-  annotations:
-    argocd.argoproj.io/sync-wave: "100"
-spec:
-  ingressClassName: "nginx"
-  rules:
-    - host: localhost
-      http:
-        paths:
-          - path: /keycloak
-            pathType: ImplementationSpecific
-            backend:
-              service:
-                name: keycloak
-                port:
-                  name: http
-    - host: cnoe.localtest.me
-      http:
-        paths:
-          - path: /keycloak
-            pathType: ImplementationSpecific
-            backend:
-              service:
-                name: keycloak
-                port:
-                  name: http

ref/packages/keycloak-old/manifests/keycloak-config.yaml

@@ -1,366 +0,0 @@
-# resources here are used to configure keycloak instance for SSO
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: keycloak-config
-  namespace: keycloak
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: keycloak-config
-  namespace: keycloak
-rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "create", "update", "patch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: keycloak-config
-  namespace: keycloak
-subjects:
-  - kind: ServiceAccount
-    name: keycloak-config
-    namespace: keycloak
-roleRef:
-  kind: Role
-  name: keycloak-config
-  apiGroup: rbac.authorization.k8s.io
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: keycloak-config
-  namespace: argocd
-rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: keycloak-config
-  namespace: argocd
-subjects:
-  - kind: ServiceAccount
-    name: keycloak-config
-    namespace: keycloak
-roleRef:
-  kind: Role
-  name: keycloak-config
-  apiGroup: rbac.authorization.k8s.io
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: config-job
-  namespace: keycloak
-data:
-  client-scope-groups-payload.json: |
-    {
-      "name": "groups",
-      "description": "groups a user belongs to",
-      "attributes": {
-          "consent.screen.text": "Access to groups a user belongs to.",
-          "display.on.consent.screen": "true",
-          "include.in.token.scope": "true",
-          "gui.order": ""
-      },
-      "type": "default",
-      "protocol": "openid-connect"
-    }
-  group-admin-payload.json: |
-    {"name":"admin"}
-  group-base-user-payload.json: |
-    {"name":"base-user"}
-  group-mapper-payload.json: |
-    {
-        "protocol": "openid-connect",
-        "protocolMapper": "oidc-group-membership-mapper",
-        "name": "groups",
-        "config": {
-          "claim.name": "groups",
-          "full.path": "false",
-          "id.token.claim": "true",
-          "access.token.claim": "true",
-          "userinfo.token.claim": "true"
-        }
-    }
-  realm-payload.json: |
-    {"realm":"cnoe","enabled":true}
-  user-password.json: |
-    {
-        "temporary": false,
-        "type": "password",
-        "value": "${USER1_PASSWORD}"
-    }
-  user-user1.json: |
-    {
-        "username": "user1",
-        "email": "",
-        "firstName": "user",
-        "lastName": "one",
-        "requiredActions": [],
-        "emailVerified": false,
-        "groups": [
-          "/admin"
-        ],
-        "enabled": true
-    }
-  user-user2.json: |
-    {
-        "username": "user2",
-        "email": "",
-        "firstName": "user",
-        "lastName": "two",
-        "requiredActions": [],
-        "emailVerified": false,
-        "groups": [
-          "/base-user"
-        ],
-        "enabled": true
-    }
-  argo-client-payload.json: |
-    {
-      "protocol": "openid-connect",
-      "clientId": "argo-workflows",
-      "name": "Argo Workflows Client",
-      "description": "Used for Argo Workflows SSO",
-      "publicClient": false,
-      "authorizationServicesEnabled": false,
-      "serviceAccountsEnabled": false,
-      "implicitFlowEnabled": false,
-      "directAccessGrantsEnabled": true,
-      "standardFlowEnabled": true,
-      "frontchannelLogout": true,
-      "attributes": {
-        "saml_idp_initiated_sso_url_name": "",
-        "oauth2.device.authorization.grant.enabled": false,
-        "oidc.ciba.grant.enabled": false
-      },
-      "alwaysDisplayInConsole": false,
-      "rootUrl": "",
-      "baseUrl": "",
-      "redirectUris": [
-        "https://cnoe.localtest.me:8443/argo-workflows/oauth2/callback"
-      ],
-      "webOrigins": [
-        "/*"
-      ]
-    }
-
-  backstage-client-payload.json: |
-    {
-      "protocol": "openid-connect",
-      "clientId": "backstage",
-      "name": "Backstage Client",
-      "description": "Used for Backstage SSO",
-      "publicClient": false,
-      "authorizationServicesEnabled": false,
-      "serviceAccountsEnabled": false,
-      "implicitFlowEnabled": false,
-      "directAccessGrantsEnabled": true,
-      "standardFlowEnabled": true,
-      "frontchannelLogout": true,
-      "attributes": {
-        "saml_idp_initiated_sso_url_name": "",
-        "oauth2.device.authorization.grant.enabled": false,
-        "oidc.ciba.grant.enabled": false
-      },
-      "alwaysDisplayInConsole": false,
-      "rootUrl": "",
-      "baseUrl": "",
-      "redirectUris": [
-        "https://cnoe.localtest.me:8443/api/auth/keycloak-oidc/handler/frame"
-      ],
-      "webOrigins": [
-        "/*"
-      ]
-    }
-
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: config
-  namespace: keycloak
-  annotations:
-    argocd.argoproj.io/hook: PostSync
-spec:
-  template:
-    metadata:
-      generateName: config
-    spec:
-      serviceAccountName: keycloak-config
-      restartPolicy: Never
-      volumes:
-        - name: keycloak-config
-          secret:
-            secretName: keycloak-config
-        - name: config-payloads
-          configMap:
-            name: config-job
-      containers:
-        - name: kubectl
-          image: docker.io/library/ubuntu:22.04
-          volumeMounts:
-            - name: keycloak-config
-              readOnly: true
-              mountPath: "/var/secrets/"
-            - name: config-payloads
-              readOnly: true
-              mountPath: "/var/config/"
-          command: ["/bin/bash", "-c"]
-          args:
-            - |
-              #! /bin/bash
-  
-              set -ex -o pipefail
-              
-              apt -qq update && apt -qq install curl jq -y
-              
-              ADMIN_PASSWORD=$(cat /var/secrets/KEYCLOAK_ADMIN_PASSWORD)
-              USER1_PASSWORD=$(cat /var/secrets/USER_PASSWORD)
-
-              KEYCLOAK_URL=http://keycloak.keycloak.svc.cluster.local:8080/keycloak
-
-              KEYCLOAK_TOKEN=$(curl -sS  --fail-with-body -X POST -H "Content-Type: application/x-www-form-urlencoded" \
-                --data-urlencode "username=cnoe-admin" \
-                --data-urlencode "password=${ADMIN_PASSWORD}" \
-                --data-urlencode "grant_type=password" \
-                --data-urlencode "client_id=admin-cli" \
-                ${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token | jq -e -r '.access_token')
-                
-              set +e
-              
-              curl --fail-with-body -H "Authorization: bearer ${KEYCLOAK_TOKEN}"  "${KEYCLOAK_URL}/admin/realms/cnoe"  &> /dev/null
-              if [ $? -eq 0 ]; then
-                exit 0
-              fi
-              set -e
-              
-              curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/amd64/kubectl"
-              chmod +x kubectl
-              
-              echo "creating cnoe realm and groups"
-              
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/realm-payload.json \
-                ${KEYCLOAK_URL}/admin/realms
-              
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/client-scope-groups-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes
-              
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/group-admin-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/groups
-              
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/group-base-user-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/groups
-              
-              # Create scope mapper
-                echo 'adding group claim to tokens'
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
-              
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/group-mapper-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes/${CLIENT_SCOPE_GROUPS_ID}/protocol-mappers/models
-                
-              echo "creating test users"
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/user-user1.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/users
-              
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/user-user2.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/users
-              
-              USER1ID=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" "${KEYCLOAK_URL}/admin/realms/cnoe/users?lastName=one" | jq -r '.[0].id')
-              USER2ID=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" "${KEYCLOAK_URL}/admin/realms/cnoe/users?lastName=two" | jq -r '.[0].id')
-              
-              echo "setting user passwords"
-              jq -r --arg pass ${USER1_PASSWORD}  '.value = $pass' /var/config/user-password.json > /tmp/user-password-to-be-applied.json
-              
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X PUT --data @/tmp/user-password-to-be-applied.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/users/${USER1ID}/reset-password
-              
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X PUT --data @/tmp/user-password-to-be-applied.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/users/${USER2ID}/reset-password
-            
-              echo "creating Argo Workflows client"
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                  -X POST --data @/var/config/argo-client-payload.json \
-                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
-              
-              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "argo-workflows") | .id')
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
-              
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
-              
-              ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-              -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-              -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
-              
-              echo "creating Backstage client"
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/backstage-client-payload.json \
-                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
-              
-              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "backstage") | .id')
-              
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
-              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
-              
-              BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
-              
-              ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
-              
-              ARGOCD_SESSION_TOKEN=$(curl -k -sS http://argocd-server.argocd.svc.cluster.local:443/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
-              
-              echo \
-              "apiVersion: v1
-              kind: Secret
-              metadata:
-                name: keycloak-clients
-                namespace: keycloak
-              type: Opaque
-              stringData:
-                ARGO_WORKFLOWS_CLIENT_SECRET: ${ARGO_WORKFLOWS_CLIENT_SECRET}
-                ARGO_WORKFLOWS_CLIENT_ID: argo-workflows
-                ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN}
-                BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET}
-                BACKSTAGE_CLIENT_ID: backstage
-              " > /tmp/secret.yaml
-              
-              ./kubectl apply -f /tmp/secret.yaml
-