diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml index 4f65e09..4433721 100644 --- a/template/stacks/core/argocd.yaml +++ b/template/stacks/core/argocd.yaml @@ -21,7 +21,7 @@ spec: # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged # As logout make problems, it is suggested to switch from path based routing to an own argocd domain, # similar to the CNOE amazon reference implementation and in our case, Forgejo - targetRevision: argo-cd-7.7.5 + targetRevision: argo-cd-7.6.12 helm: valueFiles: - $values/stacks/core/argocd/values.yaml diff --git a/template/stacks/ref-implementation/external-secrets.yaml b/template/stacks/core/external-secrets.yaml similarity index 88% rename from template/stacks/ref-implementation/external-secrets.yaml rename to template/stacks/core/external-secrets.yaml index 37e8004..b69e3f7 100644 --- a/template/stacks/ref-implementation/external-secrets.yaml +++ b/template/stacks/core/external-secrets.yaml @@ -14,7 +14,7 @@ spec: source: repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder targetRevision: HEAD - path: "stacks/ref-implementation/external-secrets/manifests" + path: "stacks/core/external-secrets/manifests" project: default syncPolicy: automated: diff --git a/template/stacks/ref-implementation/external-secrets/generate-manifests.sh b/template/stacks/core/external-secrets/generate-manifests.sh similarity index 100% rename from template/stacks/ref-implementation/external-secrets/generate-manifests.sh rename to template/stacks/core/external-secrets/generate-manifests.sh diff --git a/template/stacks/ref-implementation/external-secrets/manifests/install.yaml b/template/stacks/core/external-secrets/manifests/install.yaml similarity index 100% rename from template/stacks/ref-implementation/external-secrets/manifests/install.yaml rename to template/stacks/core/external-secrets/manifests/install.yaml diff --git a/template/stacks/ref-implementation/external-secrets/values.yaml b/template/stacks/core/external-secrets/values.yaml similarity index 100% rename from template/stacks/ref-implementation/external-secrets/values.yaml rename to template/stacks/core/external-secrets/values.yaml diff --git a/template/stacks/ref-implementation/keycloak.yaml b/template/stacks/core/keycloak.yaml similarity index 84% rename from template/stacks/ref-implementation/keycloak.yaml rename to template/stacks/core/keycloak.yaml index 93d8db7..6045086 100644 --- a/template/stacks/ref-implementation/keycloak.yaml +++ b/template/stacks/core/keycloak.yaml @@ -4,7 +4,7 @@ metadata: name: keycloak namespace: argocd labels: - example: ref-implementation + example: core finalizers: - resources-finalizer.argocd.argoproj.io spec: @@ -14,7 +14,7 @@ spec: source: repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder targetRevision: HEAD - path: "stacks/ref-implementation/keycloak/manifests" + path: "stacks/core/keycloak/manifests" project: default syncPolicy: automated: diff --git a/template/stacks/ref-implementation/keycloak/manifests/install.yaml b/template/stacks/core/keycloak/manifests/install.yaml similarity index 100% rename from template/stacks/ref-implementation/keycloak/manifests/install.yaml rename to template/stacks/core/keycloak/manifests/install.yaml diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/core/keycloak/manifests/keycloak-config.yaml similarity index 82% rename from template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml rename to template/stacks/core/keycloak/manifests/keycloak-config.yaml index 6c8d603..e2a0981 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/core/keycloak/manifests/keycloak-config.yaml @@ -100,11 +100,11 @@ data: user-user1.json: | { "username": "user1", - "email": "user1@user.de", + "email": "", "firstName": "user", "lastName": "one", "requiredActions": [], - "emailVerified": true, + "emailVerified": false, "groups": [ "/admin" ], @@ -113,11 +113,11 @@ data: user-user2.json: | { "username": "user2", - "email": "user2@user.de", + "email": "", "firstName": "user", "lastName": "two", "requiredActions": [], - "emailVerified": true, + "emailVerified": false, "groups": [ "/base-user" ], @@ -181,44 +181,6 @@ data: ] } - grafana-client-payload.json: | - { - "clientId": "grafana", - "name": "Grafana Client", - "description": "Used for Grafana SSO", - "rootUrl": "https://{{{ .Env.DOMAIN }}}/grafana", - "adminUrl": "https://{{{ .Env.DOMAIN }}}/grafana", - "baseUrl": "https://{{{ .Env.DOMAIN }}}/grafana", - "alwaysDisplayInConsole": false, - "redirectUris": [ - "http://{{{ .Env.DOMAIN }}}/grafana/*" - ], - "webOrigins": [ - "https://{{{ .Env.DOMAIN }}}/grafana" - ], - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "saml_idp_initiated_sso_url_name": "", - "oidc.ciba.grant.enabled": "false", - "oauth2.device.authorization.grant.enabled": "false" - }, - "defaultClientScopes": [ - "web-origins", - "acr", - "offline_access", - "roles", - "profile", - "groups", - "email" - ] - } - --- apiVersion: batch/v1 kind: Job @@ -285,11 +247,7 @@ spec: fi set -e - if [[ "$(uname -m)" == "x86_64" ]]; then - curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/amd64/kubectl" - else - curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/arm64/kubectl" - fi + curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/amd64/kubectl" chmod +x kubectl echo "creating cnoe realm and groups" @@ -372,24 +330,7 @@ spec: ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') - - echo "creating Grafana client" - curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X POST --data @/var/config/grafana-client-payload.json \ - ${KEYCLOAK_URL}/admin/realms/cnoe/clients - CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "grafana") | .id') - - CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') - curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} - - GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ - -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ - -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') - echo "creating Backstage client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -424,8 +365,6 @@ spec: ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN} BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET} BACKSTAGE_CLIENT_ID: backstage - GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET} - GRAFANA_CLIENT_ID: grafana " > /tmp/secret.yaml ./kubectl apply -f /tmp/secret.yaml diff --git a/template/stacks/ref-implementation/keycloak/manifests/secret-gen.yaml b/template/stacks/core/keycloak/manifests/secret-gen.yaml similarity index 100% rename from template/stacks/ref-implementation/keycloak/manifests/secret-gen.yaml rename to template/stacks/core/keycloak/manifests/secret-gen.yaml diff --git a/template/stacks/monitoring/alloy.yaml b/template/stacks/monitoring/alloy.yaml deleted file mode 100644 index 7d4d614..0000000 --- a/template/stacks/monitoring/alloy.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: alloy - namespace: argocd - labels: - env: dev - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - project: default - syncPolicy: - automated: - selfHeal: true - syncOptions: - - CreateNamespace=true - destination: - name: in-cluster - namespace: monitoring - sources: - - repoURL: https://github.com/grafana/alloy.git - path: operations/helm/charts/alloy - targetRevision: HEAD - helm: - valueFiles: - - $values/stacks/monitoring/alloy/values.yaml - - repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder - targetRevision: HEAD - ref: values \ No newline at end of file diff --git a/template/stacks/monitoring/alloy/values.yaml b/template/stacks/monitoring/alloy/values.yaml deleted file mode 100644 index 3f038fa..0000000 --- a/template/stacks/monitoring/alloy/values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -alloy: - create: false - name: alloy-config - key: config.alloy diff --git a/template/stacks/monitoring/kube-prometheus-sso/secret-grafana.yaml b/template/stacks/monitoring/kube-prometheus-sso/secret-grafana.yaml deleted file mode 100644 index 896ec1b..0000000 --- a/template/stacks/monitoring/kube-prometheus-sso/secret-grafana.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: auth-generic-oauth-secret - namespace: monitoring -spec: - secretStoreRef: - name: keycloak - kind: ClusterSecretStore - refreshInterval: "0" - target: - name: auth-generic-oauth-secret - template: - engineVersion: v2 - data: - client_secret: "{{.GRAFANA_CLIENT_SECRET}}" - data: - - secretKey: GRAFANA_CLIENT_SECRET - remoteRef: - key: keycloak-clients - property: GRAFANA_CLIENT_SECRET diff --git a/template/stacks/monitoring/kube-prometheus.yaml b/template/stacks/monitoring/kube-prometheus.yaml index 7bcf3ca..32cdc88 100644 --- a/template/stacks/monitoring/kube-prometheus.yaml +++ b/template/stacks/monitoring/kube-prometheus.yaml @@ -15,12 +15,6 @@ spec: syncOptions: - CreateNamespace=true - ServerSideApply=true # do not copy metdata, since (because of its large size) it can lead to sync failure - retry: - limit: -1 - backoff: - duration: 15s - factor: 1 - maxDuration: 15s destination: name: in-cluster namespace: monitoring diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml index 901345f..9c0ca32 100644 --- a/template/stacks/monitoring/kube-prometheus/values.yaml +++ b/template/stacks/monitoring/kube-prometheus/values.yaml @@ -33,33 +33,7 @@ grafana: domain: {{{ .Env.DOMAIN }}} root_url: "%(protocol)s://%(domain)s/grafana" serve_from_sub_path: true - auth: - disable_login: true - disable_login_form: true - auth.generic_oauth: - enabled: true - name: Keycloak-OAuth - allow_sign_up: true - use_refresh_token: true - client_id: grafana - client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret} - scopes: openid email profile offline_access roles - email_attribute_path: email - login_attribute_path: username - name_attribute_path: full_name - auth_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/auth - token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token - api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo - redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth - role_attribute_path: "contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'" - extraSecretMounts: - - name: auth-generic-oauth-secret-mount - secretName: auth-generic-oauth-secret - defaultMode: 0440 - mountPath: /etc/secrets/auth_generic_oauth - readOnly: true - serviceMonitor: # If true, a ServiceMonitor CRD is created for a prometheus operator https://github.com/coreos/prometheus-operator enabled: true diff --git a/template/stacks/ref-implementation/argo-workflows.yaml b/template/stacks/ref-implementation/argo-workflows.yaml index ef23482..3d33891 100644 --- a/template/stacks/ref-implementation/argo-workflows.yaml +++ b/template/stacks/ref-implementation/argo-workflows.yaml @@ -23,7 +23,3 @@ spec: selfHeal: true retry: limit: -1 - backoff: - duration: 15s - factor: 1 - maxDuration: 15s diff --git a/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml b/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml index 62cbd53..c750bd4 100644 --- a/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml +++ b/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml @@ -33,7 +33,7 @@ jobs: #run: ./mvnw spring-boot:build-image # the original image build run: | export CONTAINER_REPO=$(echo {% raw %}${{ env.GITHUB_REPOSITORY }}{% endraw %} | tr '[:upper:]' '[:lower:]') - ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage={{{ .Env.DOMAIN_GITEA }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ github.actor }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %} -Djib.from.platforms=linux/arm64,linux/amd64 + ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage={{{ .Env.DOMAIN_GITEA }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ github.actor }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %} - name: Build image as tar run: | ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:buildTar -Djib.allowInsecureRegistries=true @@ -57,11 +57,7 @@ jobs: NODE_TLS_REJECT_UNAUTHORIZED: 0 # This is necessary due to self signed certs for forgejo, proper setups can skip this - name: install trivy from deb package run: | - if [[ "$(uname -m)" == "x86_64" ]]; then - wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-64bit.deb - else - wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-ARM64.deb - fi + wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-64bit.deb DEBIAN_FRONTEND=noninteractive dpkg -i trivy.deb - name: scan the image run: trivy image --input jib-image.tar diff --git a/template/stacks/ref-implementation/backstage.yaml b/template/stacks/ref-implementation/backstage.yaml index 01932dc..227d29f 100644 --- a/template/stacks/ref-implementation/backstage.yaml +++ b/template/stacks/ref-implementation/backstage.yaml @@ -23,7 +23,3 @@ spec: selfHeal: true retry: limit: -1 - backoff: - duration: 15s - factor: 1 - maxDuration: 15s diff --git a/template/stacks/monitoring/kube-prometheus-sso.yaml b/template/stacks/ref-implementation/external-secrets-openbao.yaml similarity index 67% rename from template/stacks/monitoring/kube-prometheus-sso.yaml rename to template/stacks/ref-implementation/external-secrets-openbao.yaml index 0e6e43a..1545b06 100644 --- a/template/stacks/monitoring/kube-prometheus-sso.yaml +++ b/template/stacks/ref-implementation/external-secrets-openbao.yaml @@ -1,29 +1,23 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: kube-prometheus-sso + name: external-secrets-openbao namespace: argocd labels: env: dev finalizers: - resources-finalizer.argocd.argoproj.io spec: - project: default + destination: + namespace: external-secrets + server: "https://kubernetes.default.svc" source: repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder targetRevision: HEAD - path: "stacks/monitoring/kube-prometheus-sso" - destination: - server: "https://kubernetes.default.svc" - namespace: monitoring + path: "stacks/ref-implementation/external-secrets-openbao/manifests" + project: default syncPolicy: - syncOptions: - - CreateNamespace=true automated: selfHeal: true - retry: - limit: -1 - backoff: - duration: 15s - factor: 1 - maxDuration: 15s + syncOptions: + - CreateNamespace=true diff --git a/template/stacks/ref-implementation/external-secrets/manifests/role.yaml b/template/stacks/ref-implementation/external-secrets-openbao/manifests/role.yaml similarity index 100% rename from template/stacks/ref-implementation/external-secrets/manifests/role.yaml rename to template/stacks/ref-implementation/external-secrets-openbao/manifests/role.yaml diff --git a/template/stacks/ref-implementation/external-secrets/manifests/rolebinding.yaml b/template/stacks/ref-implementation/external-secrets-openbao/manifests/rolebinding.yaml similarity index 100% rename from template/stacks/ref-implementation/external-secrets/manifests/rolebinding.yaml rename to template/stacks/ref-implementation/external-secrets-openbao/manifests/rolebinding.yaml diff --git a/template/stacks/ref-implementation/external-secrets/manifests/secret-store.yaml b/template/stacks/ref-implementation/external-secrets-openbao/manifests/secret-store.yaml similarity index 100% rename from template/stacks/ref-implementation/external-secrets/manifests/secret-store.yaml rename to template/stacks/ref-implementation/external-secrets-openbao/manifests/secret-store.yaml