From 88d599a69109dc026ac0fe284fef85f89a9a0519 Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Fri, 28 Feb 2025 13:30:29 +0000 Subject: [PATCH 01/20] Update template/stacks/monitoring/kube-prometheus/values.yaml --- .../monitoring/kube-prometheus/values.yaml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml index 9c0ca32..942f6a6 100644 --- a/template/stacks/monitoring/kube-prometheus/values.yaml +++ b/template/stacks/monitoring/kube-prometheus/values.yaml @@ -33,6 +33,26 @@ grafana: domain: {{{ .Env.DOMAIN }}} root_url: "%(protocol)s://%(domain)s/grafana" serve_from_sub_path: true + auth: + oauth_allow_insecure_email_lookup: true + disable_login: true + disable_login_form: true + auth.generic_oauth: + enabled: true + name: Keycloak-OAuth + allow_sign_up: true + client_id: grafana-oauth + #client_secret: todo need to be set elsewhere + scopes: openid email profile offline_access roles + email_attribute_path: email + login_attribute_path: username + name_attribute_path: full_name + tls_skip_verify_insecure: true + auth_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/auth + token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token + api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo + redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth + role_attribute_path: contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer' serviceMonitor: # If true, a ServiceMonitor CRD is created for a prometheus operator https://github.com/coreos/prometheus-operator From 0f8282ead68f085dd4c47416333c7335175dd1b6 Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Fri, 28 Feb 2025 14:08:07 +0000 Subject: [PATCH 02/20] Update template/stacks/monitoring/kube-prometheus/values.yaml --- .../monitoring/kube-prometheus/values.yaml | 21 ++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml index 942f6a6..22ffb4c 100644 --- a/template/stacks/monitoring/kube-prometheus/values.yaml +++ b/template/stacks/monitoring/kube-prometheus/values.yaml @@ -30,7 +30,7 @@ grafana: grafana.ini: server: - domain: {{{ .Env.DOMAIN }}} + domain: factory-172-18-0-2.traefik.me root_url: "%(protocol)s://%(domain)s/grafana" serve_from_sub_path: true auth: @@ -41,19 +41,26 @@ grafana: enabled: true name: Keycloak-OAuth allow_sign_up: true - client_id: grafana-oauth - #client_secret: todo need to be set elsewhere + client_id: $__file{/etc/secrets/auth_generic_oauth/client_id} + client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret} scopes: openid email profile offline_access roles email_attribute_path: email login_attribute_path: username name_attribute_path: full_name tls_skip_verify_insecure: true - auth_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/auth - token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token - api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo - redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth + auth_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/auth + token_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/token + api_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/userinfo + redirect_uri: http://factory-172-18-0-2.traefik.me/grafana/login/generic_oauth role_attribute_path: contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer' + extraSecretMounts: + - name: auth-generic-oauth-secret-mount + secretName: auth-generic-oauth-secret + defaultMode: 0440 + mountPath: /etc/secrets/auth_generic_oauth + readOnly: true + serviceMonitor: # If true, a ServiceMonitor CRD is created for a prometheus operator https://github.com/coreos/prometheus-operator enabled: true From ce6c51eea97f94d27109a1774585347c9425f39d Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sun, 2 Mar 2025 10:47:25 +0100 Subject: [PATCH 03/20] Enhanced grafana yaml --- .../stacks/monitoring/kube-prometheus/values.yaml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml index 22ffb4c..c0754b6 100644 --- a/template/stacks/monitoring/kube-prometheus/values.yaml +++ b/template/stacks/monitoring/kube-prometheus/values.yaml @@ -30,11 +30,10 @@ grafana: grafana.ini: server: - domain: factory-172-18-0-2.traefik.me + domain: {{{ .Env.DOMAIN }}} root_url: "%(protocol)s://%(domain)s/grafana" serve_from_sub_path: true auth: - oauth_allow_insecure_email_lookup: true disable_login: true disable_login_form: true auth.generic_oauth: @@ -47,12 +46,11 @@ grafana: email_attribute_path: email login_attribute_path: username name_attribute_path: full_name - tls_skip_verify_insecure: true - auth_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/auth - token_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/token - api_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/userinfo - redirect_uri: http://factory-172-18-0-2.traefik.me/grafana/login/generic_oauth - role_attribute_path: contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer' + auth_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/auth + token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token + api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo + redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth + role_attribute_path: "contains(resource_access.\"grafana-oauth\".roles[*], 'admin') && 'Admin' || contains(resource_access.\"grafana-oauth\".roles[*], 'editor') && 'Editor' || 'Viewer'" extraSecretMounts: - name: auth-generic-oauth-secret-mount From 65c5321ce687d78ab6c8f774c4e3d2b1b12838d9 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sun, 2 Mar 2025 13:11:38 +0100 Subject: [PATCH 04/20] Added Grafana client config to Keycloak --- .../keycloak/manifests/keycloak-config.yaml | 76 +++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index e2a0981..2dd6d9b 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -181,6 +181,82 @@ data: ] } + grafana-client-payload.json: | + { + "clientId": "grafana-oauth", + "name": "grafana-oauth", + "description": "Used for Grafana SSO", + "rootUrl": "https://{{{ .Env.DOMAIN }}}/grafana", + "adminUrl": "https://{{{ .Env.DOMAIN }}}/grafana", + "baseUrl": "https://{{{ .Env.DOMAIN }}}/grafana", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "aQ1UV9Z6ZuLBwrgw8vV9ijf6LA95yMZL", + "redirectUris": [ + "http://{{{ .Env.DOMAIN }}}/grafana/*" + ], + "webOrigins": [ + "https://{{{ .Env.DOMAIN }}}/grafana" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "display.on.consent.screen": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "userinfo.token.claim": "false", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "offline_access", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "microprofile-jwt" + ], + "access": { + "view": true, + "configure": true, + "manage": true + } + } + --- apiVersion: batch/v1 kind: Job From efa3a6e4dceb74b3eb9321d59492cdddf3fe9c7c Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sun, 2 Mar 2025 13:18:04 +0100 Subject: [PATCH 05/20] Added ArgoCD sync retry to Grafana --- template/stacks/monitoring/kube-prometheus.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/template/stacks/monitoring/kube-prometheus.yaml b/template/stacks/monitoring/kube-prometheus.yaml index 32cdc88..1f5218c 100644 --- a/template/stacks/monitoring/kube-prometheus.yaml +++ b/template/stacks/monitoring/kube-prometheus.yaml @@ -15,6 +15,8 @@ spec: syncOptions: - CreateNamespace=true - ServerSideApply=true # do not copy metdata, since (because of its large size) it can lead to sync failure + retry: + limit: -1 destination: name: in-cluster namespace: monitoring From e02d4bb272b1df68e4fa5e4171d0dfbf5d77edf4 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sun, 2 Mar 2025 13:27:51 +0100 Subject: [PATCH 06/20] Added more Grafana client config to Keycloak --- .../keycloak/manifests/keycloak-config.yaml | 29 +++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index 2dd6d9b..d071f9a 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -183,8 +183,8 @@ data: grafana-client-payload.json: | { - "clientId": "grafana-oauth", - "name": "grafana-oauth", + "clientId": "grafana", + "name": "Grafana Client", "description": "Used for Grafana SSO", "rootUrl": "https://{{{ .Env.DOMAIN }}}/grafana", "adminUrl": "https://{{{ .Env.DOMAIN }}}/grafana", @@ -406,7 +406,30 @@ spec: ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + + + + + echo "creating Grafana client" + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X POST --data @/var/config/grafana-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients + CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "grafana") | .id') + + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + + GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + + + + echo "creating Backstage client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -441,6 +464,8 @@ spec: ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN} BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET} BACKSTAGE_CLIENT_ID: backstage + GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET} + GRAFANA_CLIENT_ID: grafana " > /tmp/secret.yaml ./kubectl apply -f /tmp/secret.yaml From 688795ffadb37d1a4bc491610b6b7c1ad92318bf Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sun, 2 Mar 2025 13:46:20 +0100 Subject: [PATCH 07/20] Added more Grafana client config to Keycloak --- template/stacks/monitoring/kube-prometheus/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml index c0754b6..7a0a4f1 100644 --- a/template/stacks/monitoring/kube-prometheus/values.yaml +++ b/template/stacks/monitoring/kube-prometheus/values.yaml @@ -40,6 +40,7 @@ grafana: enabled: true name: Keycloak-OAuth allow_sign_up: true + use_refresh_token: true client_id: $__file{/etc/secrets/auth_generic_oauth/client_id} client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret} scopes: openid email profile offline_access roles @@ -50,7 +51,7 @@ grafana: token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth - role_attribute_path: "contains(resource_access.\"grafana-oauth\".roles[*], 'admin') && 'Admin' || contains(resource_access.\"grafana-oauth\".roles[*], 'editor') && 'Editor' || 'Viewer'" + role_attribute_path: "contains(resource_access.\"grafana\".roles[*], 'admin') && 'Admin' || contains(resource_access.\"grafana\".roles[*], 'editor') && 'Editor' || 'Viewer'" extraSecretMounts: - name: auth-generic-oauth-secret-mount From b58e373da9de3d870491053249954192c2f900b1 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sun, 2 Mar 2025 14:19:07 +0100 Subject: [PATCH 08/20] Added email to Keycloak users and upgraded ArgoCD again as it requires more work --- template/stacks/core/argocd.yaml | 2 +- .../keycloak/manifests/keycloak-config.yaml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml index 4433721..4f65e09 100644 --- a/template/stacks/core/argocd.yaml +++ b/template/stacks/core/argocd.yaml @@ -21,7 +21,7 @@ spec: # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged # As logout make problems, it is suggested to switch from path based routing to an own argocd domain, # similar to the CNOE amazon reference implementation and in our case, Forgejo - targetRevision: argo-cd-7.6.12 + targetRevision: argo-cd-7.7.5 helm: valueFiles: - $values/stacks/core/argocd/values.yaml diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index d071f9a..604d714 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -100,11 +100,11 @@ data: user-user1.json: | { "username": "user1", - "email": "", + "email": "user1@user.de", "firstName": "user", "lastName": "one", "requiredActions": [], - "emailVerified": false, + "emailVerified": true, "groups": [ "/admin" ], @@ -113,11 +113,11 @@ data: user-user2.json: | { "username": "user2", - "email": "", + "email": "user2@user.de", "firstName": "user", "lastName": "two", "requiredActions": [], - "emailVerified": false, + "emailVerified": true, "groups": [ "/base-user" ], From 2d3ebadd506e8453d69e3a444337a8b84c98be2a Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sun, 2 Mar 2025 14:52:08 +0100 Subject: [PATCH 09/20] Simplified Keycloaks Grafana config --- .../monitoring/kube-prometheus/values.yaml | 2 +- .../keycloak/manifests/keycloak-config.yaml | 48 ++----------------- 2 files changed, 6 insertions(+), 44 deletions(-) diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml index 7a0a4f1..1e42733 100644 --- a/template/stacks/monitoring/kube-prometheus/values.yaml +++ b/template/stacks/monitoring/kube-prometheus/values.yaml @@ -51,7 +51,7 @@ grafana: token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth - role_attribute_path: "contains(resource_access.\"grafana\".roles[*], 'admin') && 'Admin' || contains(resource_access.\"grafana\".roles[*], 'editor') && 'Editor' || 'Viewer'" + role_attribute_path: "contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'" extraSecretMounts: - name: auth-generic-oauth-secret-mount diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index 604d714..1b5681f 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -189,20 +189,13 @@ data: "rootUrl": "https://{{{ .Env.DOMAIN }}}/grafana", "adminUrl": "https://{{{ .Env.DOMAIN }}}/grafana", "baseUrl": "https://{{{ .Env.DOMAIN }}}/grafana", - "surrogateAuthRequired": false, - "enabled": true, "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "aQ1UV9Z6ZuLBwrgw8vV9ijf6LA95yMZL", "redirectUris": [ "http://{{{ .Env.DOMAIN }}}/grafana/*" ], "webOrigins": [ "https://{{{ .Env.DOMAIN }}}/grafana" ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, "standardFlowEnabled": true, "implicitFlowEnabled": false, "directAccessGrantsEnabled": true, @@ -211,50 +204,19 @@ data: "frontchannelLogout": true, "protocol": "openid-connect", "attributes": { + "saml_idp_initiated_sso_url_name": "", "oidc.ciba.grant.enabled": "false", - "backchannel.logout.session.required": "true", - "display.on.consent.screen": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false" + "oauth2.device.authorization.grant.enabled": "false" }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "name": "client roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-client-role-mapper", - "consentRequired": false, - "config": { - "multivalued": "true", - "userinfo.token.claim": "false", - "user.attribute": "foo", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "resource_access.${client_id}.roles", - "jsonType.label": "String" - } - } - ], "defaultClientScopes": [ "web-origins", "acr", - "roles", "offline_access", + "roles", "profile", + "groups", "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "microprofile-jwt" - ], - "access": { - "view": true, - "configure": true, - "manage": true - } + ] } --- From ec31f988896a20f53e6d4d965ab70201e2f12658 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sun, 2 Mar 2025 15:28:48 +0100 Subject: [PATCH 10/20] Added external secret for grafana keycloak client secret --- .../monitoring/kube-prometheus/values.yaml | 2 +- .../keycloak/manifests/keycloak-config.yaml | 6 ------ .../keycloak/manifests/secret-grafana.yaml | 21 +++++++++++++++++++ 3 files changed, 22 insertions(+), 7 deletions(-) create mode 100644 template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml index 1e42733..901345f 100644 --- a/template/stacks/monitoring/kube-prometheus/values.yaml +++ b/template/stacks/monitoring/kube-prometheus/values.yaml @@ -41,7 +41,7 @@ grafana: name: Keycloak-OAuth allow_sign_up: true use_refresh_token: true - client_id: $__file{/etc/secrets/auth_generic_oauth/client_id} + client_id: grafana client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret} scopes: openid email profile offline_access roles email_attribute_path: email diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index 1b5681f..c271336 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -369,9 +369,6 @@ spec: -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') - - - echo "creating Grafana client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -388,9 +385,6 @@ spec: GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') - - - echo "creating Backstage client" curl -sS -H "Content-Type: application/json" \ diff --git a/template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml b/template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml new file mode 100644 index 0000000..896ec1b --- /dev/null +++ b/template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml @@ -0,0 +1,21 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: auth-generic-oauth-secret + namespace: monitoring +spec: + secretStoreRef: + name: keycloak + kind: ClusterSecretStore + refreshInterval: "0" + target: + name: auth-generic-oauth-secret + template: + engineVersion: v2 + data: + client_secret: "{{.GRAFANA_CLIENT_SECRET}}" + data: + - secretKey: GRAFANA_CLIENT_SECRET + remoteRef: + key: keycloak-clients + property: GRAFANA_CLIENT_SECRET From 6eb52e654cddcfcea0d6d366886a38933542d446 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sun, 2 Mar 2025 15:46:06 +0100 Subject: [PATCH 11/20] Refactored external secret for grafana keycloak client secret --- .../monitoring/kube-prometheus-sso.yaml | 23 +++++++++++++++++++ .../kube-prometheus-sso}/secret-grafana.yaml | 0 2 files changed, 23 insertions(+) create mode 100644 template/stacks/monitoring/kube-prometheus-sso.yaml rename template/stacks/{ref-implementation/keycloak/manifests => monitoring/kube-prometheus-sso}/secret-grafana.yaml (100%) diff --git a/template/stacks/monitoring/kube-prometheus-sso.yaml b/template/stacks/monitoring/kube-prometheus-sso.yaml new file mode 100644 index 0000000..d38d81e --- /dev/null +++ b/template/stacks/monitoring/kube-prometheus-sso.yaml @@ -0,0 +1,23 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kube-prometheus-sso + namespace: argocd + labels: + env: dev + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder + targetRevision: HEAD + path: "stacks/monitoring/kube-prometheus-sso" + destination: + server: "https://kubernetes.default.svc" + namespace: monitoring + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + selfHeal: true diff --git a/template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml b/template/stacks/monitoring/kube-prometheus-sso/secret-grafana.yaml similarity index 100% rename from template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml rename to template/stacks/monitoring/kube-prometheus-sso/secret-grafana.yaml From 63a694d17c894fdaf37bfdb7d1b62e895eb2daaa Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sun, 2 Mar 2025 17:09:02 +0100 Subject: [PATCH 12/20] Removed Grafana admin account --- template/stacks/monitoring/kube-prometheus/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml index 901345f..584b767 100644 --- a/template/stacks/monitoring/kube-prometheus/values.yaml +++ b/template/stacks/monitoring/kube-prometheus/values.yaml @@ -1,10 +1,10 @@ grafana: namespaceOverride: "monitoring" - admin: - existingSecret: "kube-prometheus-stack-grafana-admin-password" - userKey: admin-user - passwordKey: admin-password + #admin: + # existingSecret: "kube-prometheus-stack-grafana-admin-password" + # userKey: admin-user + # passwordKey: admin-password defaultDashboardsTimezone: Europe/Berlin From 1ef1029e1f8c3750f5e22a167193aa626dfe8fae Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sun, 2 Mar 2025 17:26:29 +0100 Subject: [PATCH 13/20] Added Grafana admin account --- template/stacks/monitoring/kube-prometheus/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml index 584b767..901345f 100644 --- a/template/stacks/monitoring/kube-prometheus/values.yaml +++ b/template/stacks/monitoring/kube-prometheus/values.yaml @@ -1,10 +1,10 @@ grafana: namespaceOverride: "monitoring" - #admin: - # existingSecret: "kube-prometheus-stack-grafana-admin-password" - # userKey: admin-user - # passwordKey: admin-password + admin: + existingSecret: "kube-prometheus-stack-grafana-admin-password" + userKey: admin-user + passwordKey: admin-password defaultDashboardsTimezone: Europe/Berlin From 4ae8f6fd15c8702cf184802c841feb552850c19f Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Tue, 4 Mar 2025 18:49:55 +0100 Subject: [PATCH 14/20] shortened retry backoff --- template/stacks/ref-implementation/argo-workflows.yaml | 4 ++++ template/stacks/ref-implementation/backstage.yaml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/template/stacks/ref-implementation/argo-workflows.yaml b/template/stacks/ref-implementation/argo-workflows.yaml index 3d33891..d001daa 100644 --- a/template/stacks/ref-implementation/argo-workflows.yaml +++ b/template/stacks/ref-implementation/argo-workflows.yaml @@ -23,3 +23,7 @@ spec: selfHeal: true retry: limit: -1 + backoff: + duration: 5s + factor: 1 + maxDuration: 10s diff --git a/template/stacks/ref-implementation/backstage.yaml b/template/stacks/ref-implementation/backstage.yaml index 227d29f..c007181 100644 --- a/template/stacks/ref-implementation/backstage.yaml +++ b/template/stacks/ref-implementation/backstage.yaml @@ -23,3 +23,7 @@ spec: selfHeal: true retry: limit: -1 + backoff: + duration: 5s + factor: 1 + maxDuration: 10s From aba4a4a0880690dfc1df99c44228eb5e7b3e7a84 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Tue, 4 Mar 2025 19:03:36 +0100 Subject: [PATCH 15/20] shortened retry backoff --- template/stacks/ref-implementation/argo-workflows.yaml | 4 ++-- template/stacks/ref-implementation/backstage.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/template/stacks/ref-implementation/argo-workflows.yaml b/template/stacks/ref-implementation/argo-workflows.yaml index d001daa..ef23482 100644 --- a/template/stacks/ref-implementation/argo-workflows.yaml +++ b/template/stacks/ref-implementation/argo-workflows.yaml @@ -24,6 +24,6 @@ spec: retry: limit: -1 backoff: - duration: 5s + duration: 15s factor: 1 - maxDuration: 10s + maxDuration: 15s diff --git a/template/stacks/ref-implementation/backstage.yaml b/template/stacks/ref-implementation/backstage.yaml index c007181..01932dc 100644 --- a/template/stacks/ref-implementation/backstage.yaml +++ b/template/stacks/ref-implementation/backstage.yaml @@ -24,6 +24,6 @@ spec: retry: limit: -1 backoff: - duration: 5s + duration: 15s factor: 1 - maxDuration: 10s + maxDuration: 15s From d0cce6916d367cad1b25cd3da77c19ddfd7f1e06 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Tue, 4 Mar 2025 19:06:11 +0100 Subject: [PATCH 16/20] fixed argocd version --- template/stacks/core/argocd.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml index 4433721..4f65e09 100644 --- a/template/stacks/core/argocd.yaml +++ b/template/stacks/core/argocd.yaml @@ -21,7 +21,7 @@ spec: # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged # As logout make problems, it is suggested to switch from path based routing to an own argocd domain, # similar to the CNOE amazon reference implementation and in our case, Forgejo - targetRevision: argo-cd-7.6.12 + targetRevision: argo-cd-7.7.5 helm: valueFiles: - $values/stacks/core/argocd/values.yaml From a9c69d6c24cd5f6b7032e8513d4afd4ba867b5f2 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Tue, 4 Mar 2025 19:23:19 +0100 Subject: [PATCH 17/20] adjusted retry backoff time --- template/stacks/monitoring/kube-prometheus-sso.yaml | 6 ++++++ template/stacks/monitoring/kube-prometheus.yaml | 4 ++++ 2 files changed, 10 insertions(+) diff --git a/template/stacks/monitoring/kube-prometheus-sso.yaml b/template/stacks/monitoring/kube-prometheus-sso.yaml index d38d81e..0e6e43a 100644 --- a/template/stacks/monitoring/kube-prometheus-sso.yaml +++ b/template/stacks/monitoring/kube-prometheus-sso.yaml @@ -21,3 +21,9 @@ spec: - CreateNamespace=true automated: selfHeal: true + retry: + limit: -1 + backoff: + duration: 15s + factor: 1 + maxDuration: 15s diff --git a/template/stacks/monitoring/kube-prometheus.yaml b/template/stacks/monitoring/kube-prometheus.yaml index 1f5218c..7bcf3ca 100644 --- a/template/stacks/monitoring/kube-prometheus.yaml +++ b/template/stacks/monitoring/kube-prometheus.yaml @@ -17,6 +17,10 @@ spec: - ServerSideApply=true # do not copy metdata, since (because of its large size) it can lead to sync failure retry: limit: -1 + backoff: + duration: 15s + factor: 1 + maxDuration: 15s destination: name: in-cluster namespace: monitoring From 1ab8119063b54aba69dfcef1508e591d461e0065 Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Fri, 7 Mar 2025 20:28:39 +0000 Subject: [PATCH 18/20] Fixed kubectl download on Linux ARM64 VMs --- .../keycloak/manifests/keycloak-config.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index c271336..6c8d603 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -285,7 +285,11 @@ spec: fi set -e - curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/amd64/kubectl" + if [[ "$(uname -m)" == "x86_64" ]]; then + curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/amd64/kubectl" + else + curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/arm64/kubectl" + fi chmod +x kubectl echo "creating cnoe realm and groups" From 303d7b3a7e9e1b44aeecf497ffbfc17d83c34fed Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Sat, 8 Mar 2025 12:50:23 +0000 Subject: [PATCH 19/20] Update template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml --- .../skeleton/.github/workflows/maven-build.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml b/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml index c750bd4..62cbd53 100644 --- a/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml +++ b/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml @@ -33,7 +33,7 @@ jobs: #run: ./mvnw spring-boot:build-image # the original image build run: | export CONTAINER_REPO=$(echo {% raw %}${{ env.GITHUB_REPOSITORY }}{% endraw %} | tr '[:upper:]' '[:lower:]') - ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage={{{ .Env.DOMAIN_GITEA }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ github.actor }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %} + ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage={{{ .Env.DOMAIN_GITEA }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ github.actor }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %} -Djib.from.platforms=linux/arm64,linux/amd64 - name: Build image as tar run: | ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:buildTar -Djib.allowInsecureRegistries=true @@ -57,7 +57,11 @@ jobs: NODE_TLS_REJECT_UNAUTHORIZED: 0 # This is necessary due to self signed certs for forgejo, proper setups can skip this - name: install trivy from deb package run: | - wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-64bit.deb + if [[ "$(uname -m)" == "x86_64" ]]; then + wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-64bit.deb + else + wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-ARM64.deb + fi DEBIAN_FRONTEND=noninteractive dpkg -i trivy.deb - name: scan the image run: trivy image --input jib-image.tar From 364a65a6be4f8e5b7ab7a6bc9584ab5bdc9287e2 Mon Sep 17 00:00:00 2001 From: miwr Date: Tue, 11 Mar 2025 13:08:15 +0100 Subject: [PATCH 20/20] alloy configuration added --- template/stacks/monitoring/alloy.yaml | 29 ++++++++++++++++++++ template/stacks/monitoring/alloy/values.yaml | 4 +++ 2 files changed, 33 insertions(+) create mode 100644 template/stacks/monitoring/alloy.yaml create mode 100644 template/stacks/monitoring/alloy/values.yaml diff --git a/template/stacks/monitoring/alloy.yaml b/template/stacks/monitoring/alloy.yaml new file mode 100644 index 0000000..7d4d614 --- /dev/null +++ b/template/stacks/monitoring/alloy.yaml @@ -0,0 +1,29 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: alloy + namespace: argocd + labels: + env: dev + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true + destination: + name: in-cluster + namespace: monitoring + sources: + - repoURL: https://github.com/grafana/alloy.git + path: operations/helm/charts/alloy + targetRevision: HEAD + helm: + valueFiles: + - $values/stacks/monitoring/alloy/values.yaml + - repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder + targetRevision: HEAD + ref: values \ No newline at end of file diff --git a/template/stacks/monitoring/alloy/values.yaml b/template/stacks/monitoring/alloy/values.yaml new file mode 100644 index 0000000..3f038fa --- /dev/null +++ b/template/stacks/monitoring/alloy/values.yaml @@ -0,0 +1,4 @@ +alloy: + create: false + name: alloy-config + key: config.alloy