From ca54424fc48d3eef82daa4d383bdfce51a70061b Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Tue, 25 Feb 2025 11:34:44 +0100
Subject: [PATCH 01/49] adds sso config for forgejo

---
 template/stacks/core/forgejo/secret.yaml      |  9 ++++++
 template/stacks/core/forgejo/values.yaml      |  6 ++++
 .../keycloak/manifests/keycloak-config.yaml   | 29 +++++++++++++++++++
 3 files changed, 44 insertions(+)
 create mode 100644 template/stacks/core/forgejo/secret.yaml

diff --git a/template/stacks/core/forgejo/secret.yaml b/template/stacks/core/forgejo/secret.yaml
new file mode 100644
index 0000000..231a7f0
--- /dev/null
+++ b/template/stacks/core/forgejo/secret.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-credentials
+  namespace: gitea
+type: Opaque
+stringData:
+  key: forgejo
+  secret: nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY
\ No newline at end of file
diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml
index bfcd384..b763f93 100644
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@@ -27,6 +27,12 @@ gitea:
     server:
       DOMAIN: 'gitea.{{{ .Env.DOMAIN }}}'
       ROOT_URL: 'https://gitea.{{{ .Env.DOMAIN }}}:443'
+  oauth:
+    - name: 'Keycloak'
+      provider: 'openidConnect'
+      # or with 'key' and 'secret' parameter directly
+      existingSecret: gitea-credentials
+      autoDiscoverUrl: 'https://gitea.example.com/.well-known/openid-configuration'
 
 service:
   ssh:
diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index e2a0981..0627306 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -181,6 +181,35 @@ data:
       ]
     }
 
+  forgejo-client-payload.json: |
+    {
+      "protocol": "openid-connect",
+      "clientId": "forgejo",
+      "name": "Forgejo Client",
+      "description": "Used for Forgejo SSO",
+      "publicClient": false,
+      "authorizationServicesEnabled": false,
+      "serviceAccountsEnabled": false,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "standardFlowEnabled": true,
+      "frontchannelLogout": true,
+      "attributes": {
+        "saml_idp_initiated_sso_url_name": "",
+        "oauth2.device.authorization.grant.enabled": false,
+        "oidc.ciba.grant.enabled": false
+      },
+      "alwaysDisplayInConsole": false,
+      "rootUrl": "https://{{{ .Env.DOMAIN }}}",
+      "baseUrl": "",
+      "redirectUris": [
+        "https://{{{ .Env.DOMAIN }}}/*"
+      ],
+      "webOrigins": [
+        "/*"
+      ]
+    }
+
 ---
 apiVersion: batch/v1
 kind: Job

From 8b93796afe86172a5c7088f76bdb533141670e34 Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Tue, 25 Feb 2025 12:19:46 +0100
Subject: [PATCH 02/49] debugging

---
 template/stacks/core/forgejo/values.yaml                  | 6 ------
 .../keycloak/manifests/keycloak-config.yaml               | 8 ++++----
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml
index b763f93..bfcd384 100644
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@@ -27,12 +27,6 @@ gitea:
     server:
       DOMAIN: 'gitea.{{{ .Env.DOMAIN }}}'
       ROOT_URL: 'https://gitea.{{{ .Env.DOMAIN }}}:443'
-  oauth:
-    - name: 'Keycloak'
-      provider: 'openidConnect'
-      # or with 'key' and 'secret' parameter directly
-      existingSecret: gitea-credentials
-      autoDiscoverUrl: 'https://gitea.example.com/.well-known/openid-configuration'
 
 service:
   ssh:
diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index 0627306..798c735 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -100,11 +100,11 @@ data:
   user-user1.json: |
     {
         "username": "user1",
-        "email": "",
+        "email": "user1@user.de",
         "firstName": "user",
         "lastName": "one",
         "requiredActions": [],
-        "emailVerified": false,
+        "emailVerified": true,
         "groups": [
           "/admin"
         ],
@@ -113,11 +113,11 @@ data:
   user-user2.json: |
     {
         "username": "user2",
-        "email": "",
+        "email": "user2@user.de",
         "firstName": "user",
         "lastName": "two",
         "requiredActions": [],
-        "emailVerified": false,
+        "emailVerified": true,
         "groups": [
           "/base-user"
         ],

From d6578419132fa712234f68293da2113b2fd2c022 Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Tue, 25 Feb 2025 12:31:04 +0100
Subject: [PATCH 03/49] debugging

---
 template/stacks/core/forgejo/values.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml
index bfcd384..f0ba6e0 100644
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@@ -27,6 +27,14 @@ gitea:
     server:
       DOMAIN: 'gitea.{{{ .Env.DOMAIN }}}'
       ROOT_URL: 'https://gitea.{{{ .Env.DOMAIN }}}:443'
+  oauth:
+    - name: 'Keycloak'
+      provider: 'openidConnect'
+      # or with 'key' and 'secret' parameter directly
+      keys: 'forgejo'
+      secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY'
+      # existingSecret: gitea-credentials
+      autoDiscoverUrl: 'https://gitea.example.com/.well-known/openid-configuration'
 
 service:
   ssh:

From 97f4eb33d9f250ceeb0c94106394f0c220e415ec Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Tue, 25 Feb 2025 13:24:24 +0100
Subject: [PATCH 04/49] debugging

---
 template/stacks/core/forgejo/values.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml
index f0ba6e0..0c07fa2 100644
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@@ -30,11 +30,10 @@ gitea:
   oauth:
     - name: 'Keycloak'
       provider: 'openidConnect'
-      # or with 'key' and 'secret' parameter directly
       keys: 'forgejo'
       secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY'
       # existingSecret: gitea-credentials
-      autoDiscoverUrl: 'https://gitea.example.com/.well-known/openid-configuration'
+      autoDiscoverUrl: 'https://gitea.runner.c-one-infra.de/.well-known/openid-configuration'
 
 service:
   ssh:

From 348a27d7c0a963e63003f386d50d0e1b2f91dc1e Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Tue, 25 Feb 2025 14:01:01 +0100
Subject: [PATCH 05/49] debugging

---
 template/stacks/core/forgejo/values.yaml | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml
index 0c07fa2..9d724cd 100644
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@@ -27,13 +27,18 @@ gitea:
     server:
       DOMAIN: 'gitea.{{{ .Env.DOMAIN }}}'
       ROOT_URL: 'https://gitea.{{{ .Env.DOMAIN }}}:443'
-  oauth:
-    - name: 'Keycloak'
-      provider: 'openidConnect'
-      keys: 'forgejo'
-      secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY'
-      # existingSecret: gitea-credentials
-      autoDiscoverUrl: 'https://gitea.runner.c-one-infra.de/.well-known/openid-configuration'
+    
+oauth2_client:
+  ENABLE_AUTO_REGISTRATION: true
+  ACCOUNT_LINKING: auto  
+  
+oauth:
+  - name: 'Keycloak'
+    provider: 'openidConnect'
+    key: 'forgejo'
+    secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY'
+    # existingSecret: gitea-credentials
+    autoDiscoverUrl: 'https://gitea.runner.c-one-infra.de/.well-known/openid-configuration'
 
 service:
   ssh:

From c2fa44adc35ca5af733e363b946ad5183078dd0d Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Tue, 25 Feb 2025 14:06:38 +0100
Subject: [PATCH 06/49] debugging

---
 template/stacks/core/forgejo/values.yaml | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml
index 9d724cd..3d5a230 100644
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@@ -27,18 +27,16 @@ gitea:
     server:
       DOMAIN: 'gitea.{{{ .Env.DOMAIN }}}'
       ROOT_URL: 'https://gitea.{{{ .Env.DOMAIN }}}:443'
-    
-oauth2_client:
-  ENABLE_AUTO_REGISTRATION: true
-  ACCOUNT_LINKING: auto  
-  
-oauth:
-  - name: 'Keycloak'
-    provider: 'openidConnect'
-    key: 'forgejo'
-    secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY'
-    # existingSecret: gitea-credentials
-    autoDiscoverUrl: 'https://gitea.runner.c-one-infra.de/.well-known/openid-configuration'
+    oauth2_client:
+      ENABLE_AUTO_REGISTRATION: true
+      ACCOUNT_LINKING: auto  
+  oauth:
+    - name: 'Keycloak'
+      provider: 'openidConnect'
+      key: 'forgejo'
+      secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY'
+      # existingSecret: gitea-credentials
+      autoDiscoverUrl: 'https://gitea.runner.c-one-infra.de/.well-known/openid-configuration'
 
 service:
   ssh:

From 109198d96fbfc7cd6280a16b7fbd060d0910c8f2 Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Tue, 25 Feb 2025 14:33:32 +0100
Subject: [PATCH 07/49] debugging

---
 template/stacks/core/forgejo/values.yaml                      | 2 +-
 .../keycloak/manifests/keycloak-config.yaml                   | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml
index 3d5a230..c1be3ca 100644
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@@ -36,7 +36,7 @@ gitea:
       key: 'forgejo'
       secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY'
       # existingSecret: gitea-credentials
-      autoDiscoverUrl: 'https://gitea.runner.c-one-infra.de/.well-known/openid-configuration'
+      autoDiscoverUrl: 'https://gitea.{{{ .Env.DOMAIN }}}/.well-known/openid-configuration'
 
 service:
   ssh:
diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index 798c735..c6b407e 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -200,10 +200,10 @@ data:
         "oidc.ciba.grant.enabled": false
       },
       "alwaysDisplayInConsole": false,
-      "rootUrl": "https://{{{ .Env.DOMAIN }}}",
+      "rootUrl": "https://gitea.{{{ .Env.DOMAIN }}}",
       "baseUrl": "",
       "redirectUris": [
-        "https://{{{ .Env.DOMAIN }}}/*"
+        "https://gitea.{{{ .Env.DOMAIN }}}/*"
       ],
       "webOrigins": [
         "/*"

From 456dc397f88ae03e67513e3039f4829cbbfb4cee Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Tue, 25 Feb 2025 14:39:32 +0100
Subject: [PATCH 08/49] debugging

---
 template/stacks/core/forgejo/values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml
index c1be3ca..05bed49 100644
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@@ -36,7 +36,7 @@ gitea:
       key: 'forgejo'
       secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY'
       # existingSecret: gitea-credentials
-      autoDiscoverUrl: 'https://gitea.{{{ .Env.DOMAIN }}}/.well-known/openid-configuration'
+      autoDiscoverUrl: 'https://gitea.{{{ .Env.DOMAIN }}}/realms/cnoe/.well-known/openid-configuration'
 
 service:
   ssh:

From bc3a5ee0e2b45935e1287652b724b7e9dfd6a135 Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Tue, 25 Feb 2025 14:46:48 +0100
Subject: [PATCH 09/49] debugging

---
 template/stacks/core/forgejo/values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml
index 05bed49..f8cf3c3 100644
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@@ -36,7 +36,7 @@ gitea:
       key: 'forgejo'
       secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY'
       # existingSecret: gitea-credentials
-      autoDiscoverUrl: 'https://gitea.{{{ .Env.DOMAIN }}}/realms/cnoe/.well-known/openid-configuration'
+      autoDiscoverUrl: 'https://auth.gitea.runner.c-one-infra.de/realms/cnoe/.well-known/openid-configuration'
 
 service:
   ssh:

From f3ad8444e863038cd00facc95644d7346336f47b Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Tue, 25 Feb 2025 14:52:24 +0100
Subject: [PATCH 10/49] debugging

---
 template/stacks/core/forgejo/values.yaml | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml
index f8cf3c3..49cc05e 100644
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@@ -30,13 +30,6 @@ gitea:
     oauth2_client:
       ENABLE_AUTO_REGISTRATION: true
       ACCOUNT_LINKING: auto  
-  oauth:
-    - name: 'Keycloak'
-      provider: 'openidConnect'
-      key: 'forgejo'
-      secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY'
-      # existingSecret: gitea-credentials
-      autoDiscoverUrl: 'https://auth.gitea.runner.c-one-infra.de/realms/cnoe/.well-known/openid-configuration'
 
 service:
   ssh:

From 3c65ec704e02459f17cb9143b301f598d0df842a Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Tue, 25 Feb 2025 14:59:27 +0100
Subject: [PATCH 11/49] debugging

---
 template/stacks/core/forgejo/values.yaml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml
index 49cc05e..5ec79db 100644
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@@ -29,7 +29,14 @@ gitea:
       ROOT_URL: 'https://gitea.{{{ .Env.DOMAIN }}}:443'
     oauth2_client:
       ENABLE_AUTO_REGISTRATION: true
-      ACCOUNT_LINKING: auto  
+      ACCOUNT_LINKING: auto 
+    oauth:
+    - name: 'Keycloak'
+      provider: 'openidConnect'
+      key: 'forgejo'
+      secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY'
+      # existingSecret: gitea-credentials
+      autoDiscoverUrl: 'https://runner.c-one-infra.de/keycloak/realms/cnoe/.well-known/openid-configuration'     
 
 service:
   ssh:

From 45f84b30b18755c757def1db6c0f945d10751c55 Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Tue, 25 Feb 2025 15:12:19 +0100
Subject: [PATCH 12/49] debugging

---
 template/stacks/core/forgejo/values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml
index 5ec79db..a0bb605 100644
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@@ -30,7 +30,7 @@ gitea:
     oauth2_client:
       ENABLE_AUTO_REGISTRATION: true
       ACCOUNT_LINKING: auto 
-    oauth:
+  oauth:
     - name: 'Keycloak'
       provider: 'openidConnect'
       key: 'forgejo'

From 95c45ded96e9564b7fe884c5ec1e51d32f80fcb9 Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Tue, 25 Feb 2025 15:18:35 +0100
Subject: [PATCH 13/49] debugging

---
 template/stacks/core/forgejo/values.yaml | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml
index a0bb605..d849b37 100644
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@@ -29,14 +29,7 @@ gitea:
       ROOT_URL: 'https://gitea.{{{ .Env.DOMAIN }}}:443'
     oauth2_client:
       ENABLE_AUTO_REGISTRATION: true
-      ACCOUNT_LINKING: auto 
-  oauth:
-    - name: 'Keycloak'
-      provider: 'openidConnect'
-      key: 'forgejo'
-      secret: 'nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY'
-      # existingSecret: gitea-credentials
-      autoDiscoverUrl: 'https://runner.c-one-infra.de/keycloak/realms/cnoe/.well-known/openid-configuration'     
+      ACCOUNT_LINKING: auto      
 
 service:
   ssh:

From d22ea7c82a5a309afb6828174a40f98b8cae6827 Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Tue, 25 Feb 2025 15:45:17 +0100
Subject: [PATCH 14/49] debugging

---
 template/stacks/core/forgejo/values.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml
index d849b37..fcfb59a 100644
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@@ -30,6 +30,8 @@ gitea:
     oauth2_client:
       ENABLE_AUTO_REGISTRATION: true
       ACCOUNT_LINKING: auto      
+  ssh:
+    logLevel: 'DEBUG'
 
 service:
   ssh:

From 1b565de935b8444c6fef08d52c370e125b58a917 Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Wed, 26 Feb 2025 16:32:55 +0100
Subject: [PATCH 15/49] forgejo config for sso

---
 template/stacks/core/forgejo/values.yaml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml
index fcfb59a..32d7242 100644
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@@ -30,8 +30,13 @@ gitea:
     oauth2_client:
       ENABLE_AUTO_REGISTRATION: true
       ACCOUNT_LINKING: auto      
-  ssh:
-    logLevel: 'DEBUG'
+  oauth:
+    - name: 'Keycloak'
+      provider: 'openidConnect'
+      # key: 'forgejo'
+      # secret: 'uWEGALJKmNyUojJaK5LAK0w4OCEEDpDu'
+      existingSecret: gitea-credentials
+      autoDiscoverUrl: 'https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration'  
 
 service:
   ssh:

From fd0df35b1ae00028195e59ef1a8c21de6f2b19cf Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Wed, 26 Feb 2025 16:48:18 +0100
Subject: [PATCH 16/49] forgejo oauth uses existing secret

---
 template/stacks/core/forgejo/values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml
index 32d7242..c4216b9 100644
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@@ -35,7 +35,7 @@ gitea:
       provider: 'openidConnect'
       # key: 'forgejo'
       # secret: 'uWEGALJKmNyUojJaK5LAK0w4OCEEDpDu'
-      existingSecret: gitea-credentials
+      existingSecret: forgejo-oidc
       autoDiscoverUrl: 'https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration'  
 
 service:

From a2b3e0cbd3323400aff676f57dfcf950810d5004 Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Thu, 27 Feb 2025 13:15:27 +0100
Subject: [PATCH 17/49] testing

---
 template/stacks/core/forgejo/values.yaml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml
index 3ec4778..4d81041 100644
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@@ -30,13 +30,13 @@ gitea:
     oauth2_client:
       ENABLE_AUTO_REGISTRATION: true
       ACCOUNT_LINKING: auto      
-  oauth:
-    - name: 'Keycloak'
-      provider: 'openidConnect'
-      # key: 'forgejo'
-      # secret: 'uWEGALJKmNyUojJaK5LAK0w4OCEEDpDu'
-      existingSecret: forgejo-oidc
-      autoDiscoverUrl: 'https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration'  
+#  oauth:
+#   - name: 'Keycloak'
+#      provider: 'openidConnect'
+#      # key: 'forgejo'
+#      # secret: 'uWEGALJKmNyUojJaK5LAK0w4OCEEDpDu'
+#      existingSecret: forgejo-oidc
+#      autoDiscoverUrl: 'https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration'  
 
 service:
   ssh:

From b804f2293fe9a013a9a0b36c93b3aa0b36deba2e Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Thu, 27 Feb 2025 13:32:12 +0100
Subject: [PATCH 18/49] extends keycloak-config.yaml

---
 template/stacks/core/forgejo/secret.yaml      |  4 +-
 .../keycloak/manifests/keycloak-config.yaml   | 39 ++++++++++++++++---
 2 files changed, 36 insertions(+), 7 deletions(-)

diff --git a/template/stacks/core/forgejo/secret.yaml b/template/stacks/core/forgejo/secret.yaml
index 231a7f0..7d33fd6 100644
--- a/template/stacks/core/forgejo/secret.yaml
+++ b/template/stacks/core/forgejo/secret.yaml
@@ -1,9 +1,9 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: gitea-credentials
+  name: forgejo-oidc
   namespace: gitea
 type: Opaque
 stringData:
   key: forgejo
-  secret: nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY
\ No newline at end of file
+  secret: uWEGALJKmNyUojJaK5LAK0w4OCEEDpDu
\ No newline at end of file
diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index c6b407e..baff0ef 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -200,10 +200,10 @@ data:
         "oidc.ciba.grant.enabled": false
       },
       "alwaysDisplayInConsole": false,
-      "rootUrl": "https://gitea.{{{ .Env.DOMAIN }}}",
+      "rootUrl": "https://{{{ .Env.DOMAIN_GITEA }}}:443",
       "baseUrl": "",
       "redirectUris": [
-        "https://gitea.{{{ .Env.DOMAIN }}}/*"
+        "https://{{{ .Env.DOMAIN_GITEA }}}/*"
       ],
       "webOrigins": [
         "/*"
@@ -370,12 +370,39 @@ spec:
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "backstage") | .id')
               
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
-              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
               
-              BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+              
+              =$(curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
+
+              echo "creating Forgejo client"
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                  -X POST --data @/var/config/forgejo-client-payload.json \
+                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+              
+              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "forgejo") | .id')
+              
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+              
+              FORGEJO_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
+              -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+              -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')  
               
               ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
               
@@ -394,6 +421,8 @@ spec:
                 ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN}
                 BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET}
                 BACKSTAGE_CLIENT_ID: backstage
+                FORGEJO_CLIENT_SECRET: ${FORGEJO_CLIENT_SECRET}
+                FORGEJO_CLIENT_ID: forgejo
               " > /tmp/secret.yaml
               
               ./kubectl apply -f /tmp/secret.yaml

From 265af3acfffbb8d2eae666b991db87b0d24fdadb Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Fri, 28 Feb 2025 11:01:07 +0000
Subject: [PATCH 19/49] Update template/stacks/core/argocd.yaml

---
 template/stacks/core/argocd.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml
index 3518102..cd2a34b 100644
--- a/template/stacks/core/argocd.yaml
+++ b/template/stacks/core/argocd.yaml
@@ -18,7 +18,7 @@ spec:
   sources:
     - repoURL: https://github.com/argoproj/argo-helm
       path: charts/argo-cd
-      targetRevision: argo-cd-7.7.5
+      targetRevision: argo-cd-7.6.12
       helm:
         valueFiles:
           - $values/stacks/core/argocd/values.yaml

From 9cc9b864a2e4bef9421efd62ed4434877faa6cc9 Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Fri, 28 Feb 2025 11:04:21 +0000
Subject: [PATCH 20/49] Update template/stacks/core/argocd.yaml

---
 template/stacks/core/argocd.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml
index cd2a34b..15cb6fb 100644
--- a/template/stacks/core/argocd.yaml
+++ b/template/stacks/core/argocd.yaml
@@ -18,6 +18,7 @@ spec:
   sources:
     - repoURL: https://github.com/argoproj/argo-helm
       path: charts/argo-cd
+      # TOD: RIRE 
       targetRevision: argo-cd-7.6.12
       helm:
         valueFiles:

From 168286cfce1688a280cca8ed9fdedcc4a1f2840a Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Fri, 28 Feb 2025 11:07:21 +0000
Subject: [PATCH 21/49] Update template/stacks/core/argocd.yaml

---
 template/stacks/core/argocd.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml
index 15cb6fb..215d1e3 100644
--- a/template/stacks/core/argocd.yaml
+++ b/template/stacks/core/argocd.yaml
@@ -18,7 +18,7 @@ spec:
   sources:
     - repoURL: https://github.com/argoproj/argo-helm
       path: charts/argo-cd
-      # TOD: RIRE 
+      # TOD: RIRE can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged
       targetRevision: argo-cd-7.6.12
       helm:
         valueFiles:

From 90168312862e39fe4e3c7026e9cf20a2bc98b51f Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Fri, 28 Feb 2025 11:15:56 +0000
Subject: [PATCH 22/49] Update template/stacks/core/argocd.yaml

---
 template/stacks/core/argocd.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml
index 215d1e3..4433721 100644
--- a/template/stacks/core/argocd.yaml
+++ b/template/stacks/core/argocd.yaml
@@ -18,7 +18,9 @@ spec:
   sources:
     - repoURL: https://github.com/argoproj/argo-helm
       path: charts/argo-cd
-      # TOD: RIRE can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged
+      # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged
+      # As logout make problems, it is suggested to switch from path based routing to an own argocd domain,
+      # similar to the CNOE amazon reference implementation and in our case, Forgejo
       targetRevision: argo-cd-7.6.12
       helm:
         valueFiles:

From 88d599a69109dc026ac0fe284fef85f89a9a0519 Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Fri, 28 Feb 2025 13:30:29 +0000
Subject: [PATCH 23/49] Update
 template/stacks/monitoring/kube-prometheus/values.yaml

---
 .../monitoring/kube-prometheus/values.yaml    | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml
index 9c0ca32..942f6a6 100644
--- a/template/stacks/monitoring/kube-prometheus/values.yaml
+++ b/template/stacks/monitoring/kube-prometheus/values.yaml
@@ -33,6 +33,26 @@ grafana:
       domain: {{{ .Env.DOMAIN }}}
       root_url: "%(protocol)s://%(domain)s/grafana"
       serve_from_sub_path: true
+    auth:
+      oauth_allow_insecure_email_lookup: true
+      disable_login: true
+      disable_login_form: true
+    auth.generic_oauth:
+      enabled: true
+      name: Keycloak-OAuth
+      allow_sign_up: true
+      client_id: grafana-oauth
+      #client_secret: todo need to be set elsewhere
+      scopes: openid email profile offline_access roles
+      email_attribute_path: email
+      login_attribute_path: username
+      name_attribute_path: full_name
+      tls_skip_verify_insecure: true
+      auth_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/auth
+      token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token
+      api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo
+      redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth
+      role_attribute_path: contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'
       
   serviceMonitor:
     # If true, a ServiceMonitor CRD is created for a prometheus operator https://github.com/coreos/prometheus-operator

From 0f8282ead68f085dd4c47416333c7335175dd1b6 Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Fri, 28 Feb 2025 14:08:07 +0000
Subject: [PATCH 24/49] Update
 template/stacks/monitoring/kube-prometheus/values.yaml

---
 .../monitoring/kube-prometheus/values.yaml    | 21 ++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml
index 942f6a6..22ffb4c 100644
--- a/template/stacks/monitoring/kube-prometheus/values.yaml
+++ b/template/stacks/monitoring/kube-prometheus/values.yaml
@@ -30,7 +30,7 @@ grafana:
 
   grafana.ini:
     server:
-      domain: {{{ .Env.DOMAIN }}}
+      domain: factory-172-18-0-2.traefik.me
       root_url: "%(protocol)s://%(domain)s/grafana"
       serve_from_sub_path: true
     auth:
@@ -41,19 +41,26 @@ grafana:
       enabled: true
       name: Keycloak-OAuth
       allow_sign_up: true
-      client_id: grafana-oauth
-      #client_secret: todo need to be set elsewhere
+      client_id: $__file{/etc/secrets/auth_generic_oauth/client_id}
+      client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret}
       scopes: openid email profile offline_access roles
       email_attribute_path: email
       login_attribute_path: username
       name_attribute_path: full_name
       tls_skip_verify_insecure: true
-      auth_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/auth
-      token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token
-      api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo
-      redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth
+      auth_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/auth
+      token_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/token
+      api_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/userinfo
+      redirect_uri: http://factory-172-18-0-2.traefik.me/grafana/login/generic_oauth
       role_attribute_path: contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'
       
+  extraSecretMounts:
+    - name: auth-generic-oauth-secret-mount
+      secretName: auth-generic-oauth-secret
+      defaultMode: 0440
+      mountPath: /etc/secrets/auth_generic_oauth
+      readOnly: true
+
   serviceMonitor:
     # If true, a ServiceMonitor CRD is created for a prometheus operator https://github.com/coreos/prometheus-operator
     enabled: true

From ce6c51eea97f94d27109a1774585347c9425f39d Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 10:47:25 +0100
Subject: [PATCH 25/49] Enhanced grafana yaml

---
 .../stacks/monitoring/kube-prometheus/values.yaml  | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml
index 22ffb4c..c0754b6 100644
--- a/template/stacks/monitoring/kube-prometheus/values.yaml
+++ b/template/stacks/monitoring/kube-prometheus/values.yaml
@@ -30,11 +30,10 @@ grafana:
 
   grafana.ini:
     server:
-      domain: factory-172-18-0-2.traefik.me
+      domain: {{{ .Env.DOMAIN }}}
       root_url: "%(protocol)s://%(domain)s/grafana"
       serve_from_sub_path: true
     auth:
-      oauth_allow_insecure_email_lookup: true
       disable_login: true
       disable_login_form: true
     auth.generic_oauth:
@@ -47,12 +46,11 @@ grafana:
       email_attribute_path: email
       login_attribute_path: username
       name_attribute_path: full_name
-      tls_skip_verify_insecure: true
-      auth_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/auth
-      token_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/token
-      api_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/userinfo
-      redirect_uri: http://factory-172-18-0-2.traefik.me/grafana/login/generic_oauth
-      role_attribute_path: contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'
+      auth_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/auth
+      token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token
+      api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo
+      redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth
+      role_attribute_path: "contains(resource_access.\"grafana-oauth\".roles[*], 'admin') && 'Admin' || contains(resource_access.\"grafana-oauth\".roles[*], 'editor') && 'Editor' || 'Viewer'"
       
   extraSecretMounts:
     - name: auth-generic-oauth-secret-mount

From 65c5321ce687d78ab6c8f774c4e3d2b1b12838d9 Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 13:11:38 +0100
Subject: [PATCH 26/49] Added Grafana client config to Keycloak

---
 .../keycloak/manifests/keycloak-config.yaml   | 76 +++++++++++++++++++
 1 file changed, 76 insertions(+)

diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index e2a0981..2dd6d9b 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -181,6 +181,82 @@ data:
       ]
     }
 
+  grafana-client-payload.json: |
+    {
+      "clientId": "grafana-oauth",
+      "name": "grafana-oauth",
+      "description": "Used for Grafana SSO",
+      "rootUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
+      "adminUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
+      "baseUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "aQ1UV9Z6ZuLBwrgw8vV9ijf6LA95yMZL",
+      "redirectUris": [
+        "http://{{{ .Env.DOMAIN }}}/grafana/*"
+      ],
+      "webOrigins": [
+        "https://{{{ .Env.DOMAIN }}}/grafana"
+      ],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "serviceAccountsEnabled": false,
+      "publicClient": false,
+      "frontchannelLogout": true,
+      "protocol": "openid-connect",
+      "attributes": {
+        "oidc.ciba.grant.enabled": "false",
+        "backchannel.logout.session.required": "true",
+        "display.on.consent.screen": "false",
+        "oauth2.device.authorization.grant.enabled": "false",
+        "backchannel.logout.revoke.offline.tokens": "false"
+      },
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": true,
+      "nodeReRegistrationTimeout": -1,
+      "protocolMappers": [
+        {
+          "name": "client roles",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-client-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "multivalued": "true",
+            "userinfo.token.claim": "false",
+            "user.attribute": "foo",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "resource_access.${client_id}.roles",
+            "jsonType.label": "String"
+          }
+        }
+      ],
+      "defaultClientScopes": [
+        "web-origins",
+        "acr",
+        "roles",
+        "offline_access",
+        "profile",
+        "email"
+      ],
+      "optionalClientScopes": [
+        "address",
+        "phone",
+        "microprofile-jwt"
+      ],
+      "access": {
+        "view": true,
+        "configure": true,
+        "manage": true
+      }
+    }
+
 ---
 apiVersion: batch/v1
 kind: Job

From efa3a6e4dceb74b3eb9321d59492cdddf3fe9c7c Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 13:18:04 +0100
Subject: [PATCH 27/49] Added ArgoCD sync retry to Grafana

---
 template/stacks/monitoring/kube-prometheus.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/template/stacks/monitoring/kube-prometheus.yaml b/template/stacks/monitoring/kube-prometheus.yaml
index 32cdc88..1f5218c 100644
--- a/template/stacks/monitoring/kube-prometheus.yaml
+++ b/template/stacks/monitoring/kube-prometheus.yaml
@@ -15,6 +15,8 @@ spec:
     syncOptions:
       - CreateNamespace=true
       - ServerSideApply=true  # do not copy metdata, since (because of its large size) it can lead to sync failure
+    retry:
+      limit: -1
   destination:
     name: in-cluster
     namespace: monitoring

From e02d4bb272b1df68e4fa5e4171d0dfbf5d77edf4 Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 13:27:51 +0100
Subject: [PATCH 28/49] Added more Grafana client config to Keycloak

---
 .../keycloak/manifests/keycloak-config.yaml   | 29 +++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index 2dd6d9b..d071f9a 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -183,8 +183,8 @@ data:
 
   grafana-client-payload.json: |
     {
-      "clientId": "grafana-oauth",
-      "name": "grafana-oauth",
+      "clientId": "grafana",
+      "name": "Grafana Client",
       "description": "Used for Grafana SSO",
       "rootUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
       "adminUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
@@ -406,7 +406,30 @@ spec:
               ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
               -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
               -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
+
+
+
+
+              echo "creating Grafana client"
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/grafana-client-payload.json \
+                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
               
+              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "grafana") | .id')
+              
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+              
+              GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
+              
+
+
+
               echo "creating Backstage client"
               curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@@ -441,6 +464,8 @@ spec:
                 ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN}
                 BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET}
                 BACKSTAGE_CLIENT_ID: backstage
+                GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
+                GRAFANA_CLIENT_ID: grafana
               " > /tmp/secret.yaml
               
               ./kubectl apply -f /tmp/secret.yaml

From 688795ffadb37d1a4bc491610b6b7c1ad92318bf Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 13:46:20 +0100
Subject: [PATCH 29/49] Added more Grafana client config to Keycloak

---
 template/stacks/monitoring/kube-prometheus/values.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml
index c0754b6..7a0a4f1 100644
--- a/template/stacks/monitoring/kube-prometheus/values.yaml
+++ b/template/stacks/monitoring/kube-prometheus/values.yaml
@@ -40,6 +40,7 @@ grafana:
       enabled: true
       name: Keycloak-OAuth
       allow_sign_up: true
+      use_refresh_token: true
       client_id: $__file{/etc/secrets/auth_generic_oauth/client_id}
       client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret}
       scopes: openid email profile offline_access roles
@@ -50,7 +51,7 @@ grafana:
       token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token
       api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo
       redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth
-      role_attribute_path: "contains(resource_access.\"grafana-oauth\".roles[*], 'admin') && 'Admin' || contains(resource_access.\"grafana-oauth\".roles[*], 'editor') && 'Editor' || 'Viewer'"
+      role_attribute_path: "contains(resource_access.\"grafana\".roles[*], 'admin') && 'Admin' || contains(resource_access.\"grafana\".roles[*], 'editor') && 'Editor' || 'Viewer'"
       
   extraSecretMounts:
     - name: auth-generic-oauth-secret-mount

From b58e373da9de3d870491053249954192c2f900b1 Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 14:19:07 +0100
Subject: [PATCH 30/49] Added email to Keycloak users and upgraded ArgoCD again
 as it requires more work

---
 template/stacks/core/argocd.yaml                          | 2 +-
 .../keycloak/manifests/keycloak-config.yaml               | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml
index 4433721..4f65e09 100644
--- a/template/stacks/core/argocd.yaml
+++ b/template/stacks/core/argocd.yaml
@@ -21,7 +21,7 @@ spec:
       # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged
       # As logout make problems, it is suggested to switch from path based routing to an own argocd domain,
       # similar to the CNOE amazon reference implementation and in our case, Forgejo
-      targetRevision: argo-cd-7.6.12
+      targetRevision: argo-cd-7.7.5
       helm:
         valueFiles:
           - $values/stacks/core/argocd/values.yaml
diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index d071f9a..604d714 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -100,11 +100,11 @@ data:
   user-user1.json: |
     {
         "username": "user1",
-        "email": "",
+        "email": "user1@user.de",
         "firstName": "user",
         "lastName": "one",
         "requiredActions": [],
-        "emailVerified": false,
+        "emailVerified": true,
         "groups": [
           "/admin"
         ],
@@ -113,11 +113,11 @@ data:
   user-user2.json: |
     {
         "username": "user2",
-        "email": "",
+        "email": "user2@user.de",
         "firstName": "user",
         "lastName": "two",
         "requiredActions": [],
-        "emailVerified": false,
+        "emailVerified": true,
         "groups": [
           "/base-user"
         ],

From 2d3ebadd506e8453d69e3a444337a8b84c98be2a Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 14:52:08 +0100
Subject: [PATCH 31/49] Simplified Keycloaks Grafana config

---
 .../monitoring/kube-prometheus/values.yaml    |  2 +-
 .../keycloak/manifests/keycloak-config.yaml   | 48 ++-----------------
 2 files changed, 6 insertions(+), 44 deletions(-)

diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml
index 7a0a4f1..1e42733 100644
--- a/template/stacks/monitoring/kube-prometheus/values.yaml
+++ b/template/stacks/monitoring/kube-prometheus/values.yaml
@@ -51,7 +51,7 @@ grafana:
       token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token
       api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo
       redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth
-      role_attribute_path: "contains(resource_access.\"grafana\".roles[*], 'admin') && 'Admin' || contains(resource_access.\"grafana\".roles[*], 'editor') && 'Editor' || 'Viewer'"
+      role_attribute_path: "contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'"
       
   extraSecretMounts:
     - name: auth-generic-oauth-secret-mount
diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index 604d714..1b5681f 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -189,20 +189,13 @@ data:
       "rootUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
       "adminUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
       "baseUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
-      "surrogateAuthRequired": false,
-      "enabled": true,
       "alwaysDisplayInConsole": false,
-      "clientAuthenticatorType": "client-secret",
-      "secret": "aQ1UV9Z6ZuLBwrgw8vV9ijf6LA95yMZL",
       "redirectUris": [
         "http://{{{ .Env.DOMAIN }}}/grafana/*"
       ],
       "webOrigins": [
         "https://{{{ .Env.DOMAIN }}}/grafana"
       ],
-      "notBefore": 0,
-      "bearerOnly": false,
-      "consentRequired": false,
       "standardFlowEnabled": true,
       "implicitFlowEnabled": false,
       "directAccessGrantsEnabled": true,
@@ -211,50 +204,19 @@ data:
       "frontchannelLogout": true,
       "protocol": "openid-connect",
       "attributes": {
+        "saml_idp_initiated_sso_url_name": "",
         "oidc.ciba.grant.enabled": "false",
-        "backchannel.logout.session.required": "true",
-        "display.on.consent.screen": "false",
-        "oauth2.device.authorization.grant.enabled": "false",
-        "backchannel.logout.revoke.offline.tokens": "false"
+        "oauth2.device.authorization.grant.enabled": "false"
       },
-      "authenticationFlowBindingOverrides": {},
-      "fullScopeAllowed": true,
-      "nodeReRegistrationTimeout": -1,
-      "protocolMappers": [
-        {
-          "name": "client roles",
-          "protocol": "openid-connect",
-          "protocolMapper": "oidc-usermodel-client-role-mapper",
-          "consentRequired": false,
-          "config": {
-            "multivalued": "true",
-            "userinfo.token.claim": "false",
-            "user.attribute": "foo",
-            "id.token.claim": "true",
-            "access.token.claim": "true",
-            "claim.name": "resource_access.${client_id}.roles",
-            "jsonType.label": "String"
-          }
-        }
-      ],
       "defaultClientScopes": [
         "web-origins",
         "acr",
-        "roles",
         "offline_access",
+        "roles",
         "profile",
+        "groups",
         "email"
-      ],
-      "optionalClientScopes": [
-        "address",
-        "phone",
-        "microprofile-jwt"
-      ],
-      "access": {
-        "view": true,
-        "configure": true,
-        "manage": true
-      }
+      ]
     }
 
 ---

From ec31f988896a20f53e6d4d965ab70201e2f12658 Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 15:28:48 +0100
Subject: [PATCH 32/49] Added external secret for grafana keycloak client
 secret

---
 .../monitoring/kube-prometheus/values.yaml    |  2 +-
 .../keycloak/manifests/keycloak-config.yaml   |  6 ------
 .../keycloak/manifests/secret-grafana.yaml    | 21 +++++++++++++++++++
 3 files changed, 22 insertions(+), 7 deletions(-)
 create mode 100644 template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml

diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml
index 1e42733..901345f 100644
--- a/template/stacks/monitoring/kube-prometheus/values.yaml
+++ b/template/stacks/monitoring/kube-prometheus/values.yaml
@@ -41,7 +41,7 @@ grafana:
       name: Keycloak-OAuth
       allow_sign_up: true
       use_refresh_token: true
-      client_id: $__file{/etc/secrets/auth_generic_oauth/client_id}
+      client_id: grafana
       client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret}
       scopes: openid email profile offline_access roles
       email_attribute_path: email
diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index 1b5681f..c271336 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -369,9 +369,6 @@ spec:
               -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
               -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
 
-
-
-
               echo "creating Grafana client"
               curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
@@ -388,9 +385,6 @@ spec:
               GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
-              
-
-
 
               echo "creating Backstage client"
               curl -sS -H "Content-Type: application/json" \
diff --git a/template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml b/template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml
new file mode 100644
index 0000000..896ec1b
--- /dev/null
+++ b/template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml
@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: auth-generic-oauth-secret
+  namespace: monitoring
+spec:
+  secretStoreRef:
+    name: keycloak
+    kind: ClusterSecretStore
+  refreshInterval: "0"
+  target:
+    name: auth-generic-oauth-secret
+    template:
+      engineVersion: v2
+      data:
+        client_secret: "{{.GRAFANA_CLIENT_SECRET}}"
+  data:
+    - secretKey: GRAFANA_CLIENT_SECRET
+      remoteRef:
+        key: keycloak-clients
+        property: GRAFANA_CLIENT_SECRET

From 6eb52e654cddcfcea0d6d366886a38933542d446 Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 15:46:06 +0100
Subject: [PATCH 33/49] Refactored external secret for grafana keycloak client
 secret

---
 .../monitoring/kube-prometheus-sso.yaml       | 23 +++++++++++++++++++
 .../kube-prometheus-sso}/secret-grafana.yaml  |  0
 2 files changed, 23 insertions(+)
 create mode 100644 template/stacks/monitoring/kube-prometheus-sso.yaml
 rename template/stacks/{ref-implementation/keycloak/manifests => monitoring/kube-prometheus-sso}/secret-grafana.yaml (100%)

diff --git a/template/stacks/monitoring/kube-prometheus-sso.yaml b/template/stacks/monitoring/kube-prometheus-sso.yaml
new file mode 100644
index 0000000..d38d81e
--- /dev/null
+++ b/template/stacks/monitoring/kube-prometheus-sso.yaml
@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kube-prometheus-sso
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
+    targetRevision: HEAD
+    path: "stacks/monitoring/kube-prometheus-sso"
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: monitoring
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated:
+      selfHeal: true
diff --git a/template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml b/template/stacks/monitoring/kube-prometheus-sso/secret-grafana.yaml
similarity index 100%
rename from template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml
rename to template/stacks/monitoring/kube-prometheus-sso/secret-grafana.yaml

From 63a694d17c894fdaf37bfdb7d1b62e895eb2daaa Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 17:09:02 +0100
Subject: [PATCH 34/49] Removed Grafana admin account

---
 template/stacks/monitoring/kube-prometheus/values.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml
index 901345f..584b767 100644
--- a/template/stacks/monitoring/kube-prometheus/values.yaml
+++ b/template/stacks/monitoring/kube-prometheus/values.yaml
@@ -1,10 +1,10 @@
 grafana:
   namespaceOverride: "monitoring"
 
-  admin:
-    existingSecret: "kube-prometheus-stack-grafana-admin-password"
-    userKey: admin-user
-    passwordKey: admin-password
+  #admin:
+  #  existingSecret: "kube-prometheus-stack-grafana-admin-password"
+  #  userKey: admin-user
+  #  passwordKey: admin-password
 
   defaultDashboardsTimezone: Europe/Berlin
 

From 1ef1029e1f8c3750f5e22a167193aa626dfe8fae Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 17:26:29 +0100
Subject: [PATCH 35/49] Added Grafana admin account

---
 template/stacks/monitoring/kube-prometheus/values.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml
index 584b767..901345f 100644
--- a/template/stacks/monitoring/kube-prometheus/values.yaml
+++ b/template/stacks/monitoring/kube-prometheus/values.yaml
@@ -1,10 +1,10 @@
 grafana:
   namespaceOverride: "monitoring"
 
-  #admin:
-  #  existingSecret: "kube-prometheus-stack-grafana-admin-password"
-  #  userKey: admin-user
-  #  passwordKey: admin-password
+  admin:
+    existingSecret: "kube-prometheus-stack-grafana-admin-password"
+    userKey: admin-user
+    passwordKey: admin-password
 
   defaultDashboardsTimezone: Europe/Berlin
 

From d0fb858a817f097dcc4d378a0df08d37510783b0 Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Mon, 3 Mar 2025 13:40:34 +0100
Subject: [PATCH 36/49] debugging

---
 .../ref-implementation/keycloak/manifests/keycloak-config.yaml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index baff0ef..e6d0a4c 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -378,7 +378,7 @@ spec:
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
               
-              =$(curl -sS -H "Content-Type: application/json" \
+              curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
 

From 8a38aee529516a78532f2056a275c6008bb2f091 Mon Sep 17 00:00:00 2001
From: Patrick Sy <patrick.sy@telekom.de>
Date: Mon, 3 Mar 2025 15:21:46 +0100
Subject: [PATCH 37/49] feat(runner): Added ubuntu-latest runner tag

---
 .../stacks/core/forgejo-runner/dind-docker.yaml     | 13 ++++++++++++-
 template/stacks/core/forgejo/values.yaml            |  1 +
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/template/stacks/core/forgejo-runner/dind-docker.yaml b/template/stacks/core/forgejo-runner/dind-docker.yaml
index bad42d5..04b07a7 100644
--- a/template/stacks/core/forgejo-runner/dind-docker.yaml
+++ b/template/stacks/core/forgejo-runner/dind-docker.yaml
@@ -29,7 +29,18 @@ spec:
       initContainers:
         - name: runner-register
           image: code.forgejo.org/forgejo/runner:6.0.1
-          command: ["forgejo-runner", "register", "--no-interactive", "--token", $(RUNNER_SECRET), "--name", $(RUNNER_NAME), "--instance", $(FORGEJO_INSTANCE_URL), "--labels", "docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04"]
+          command: 
+            - "forgejo-runner"
+            - "register"
+            - "--no-interactive"
+            - "--token"
+            - $(RUNNER_SECRET)
+            - "--name"
+            - $(RUNNER_NAME)
+            - "--instance"
+            - $(FORGEJO_INSTANCE_URL)
+            - "--labels"
+            - "docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04"
           env:
             - name: RUNNER_NAME
               valueFrom:
diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml
index dda08f7..1bf35c2 100644
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@@ -53,3 +53,4 @@ forgejo:
           - docker:docker://node:16-bullseye
           - self-hosted:docker://ghcr.io/catthehacker/ubuntu:act-22.04
           - ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04
+          - ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-22.04

From d95ba7c12c65d268774dd2fc9acf5cfecef5152e Mon Sep 17 00:00:00 2001
From: Patrick Sy <patrick.sy@telekom.de>
Date: Mon, 3 Mar 2025 16:37:18 +0100
Subject: [PATCH 38/49] chore(petclinic): Removed unused workflow Disabled
 tests in maven workflow as there are currently dind problems

---
 .../.github/workflows/gradle-build.yml        | 32 -------------------
 .../.github/workflows/maven-build.yml         |  2 +-
 2 files changed, 1 insertion(+), 33 deletions(-)
 delete mode 100644 template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/gradle-build.yml

diff --git a/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/gradle-build.yml b/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/gradle-build.yml
deleted file mode 100644
index 61fadfd..0000000
--- a/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/gradle-build.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-# This workflow will build a Java project with Gradle, and cache/restore any dependencies to improve the workflow execution time
-# For more information see: https://docs.github.com/en/actions/use-cases-and-examples/building-and-testing/building-and-testing-java-with-gradle
-
-name: Java CI with Gradle
-
-on:
-  push:
-    branches: [ main ]
-  pull_request:
-    branches: [ main ]
-
-jobs:
-  build:
-
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        java: [ '17' ]
-
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up JDK {% raw %}${{matrix.java}}{% endraw %}
-        uses: https://github.com/actions/setup-java@v4
-        with:
-          java-version: '{% raw %}${{matrix.java}}{% endraw %}'
-          distribution: 'adopt'
-          cache: maven
-      - name: Setup Gradle
-        uses: https://github.com/gradle/actions/setup-gradle@v4
-      - name: Build with Gradle
-        run: ./gradlew build
-
diff --git a/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml b/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml
index a9058fc..c750bd4 100644
--- a/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml
+++ b/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml
@@ -28,7 +28,7 @@ jobs:
           distribution: 'adopt'
           cache: maven
       - name: Build with Maven Wrapper
-        run: ./mvnw -B verify
+        run: ./mvnw -B -DskipTests verify
       - name: Build image
         #run: ./mvnw spring-boot:build-image # the original image build
         run: |

From 6b18ed0443718d59386aff05f7ae8dea3ba3eaa1 Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Tue, 4 Mar 2025 12:41:32 +0100
Subject: [PATCH 39/49] adds external secret for forgejo client

---
 .../forgejo/forgejo-sso/secret-forgejo.yaml   | 21 +++++++++++++++++++
 template/stacks/core/forgejo/secret.yaml      |  9 --------
 template/stacks/core/forgejo/values.yaml      |  2 +-
 3 files changed, 22 insertions(+), 10 deletions(-)
 create mode 100644 template/stacks/core/forgejo/forgejo-sso/secret-forgejo.yaml
 delete mode 100644 template/stacks/core/forgejo/secret.yaml

diff --git a/template/stacks/core/forgejo/forgejo-sso/secret-forgejo.yaml b/template/stacks/core/forgejo/forgejo-sso/secret-forgejo.yaml
new file mode 100644
index 0000000..09318c3
--- /dev/null
+++ b/template/stacks/core/forgejo/forgejo-sso/secret-forgejo.yaml
@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: auth-generic-oauth-secret
+  namespace: gitea 
+spec:
+  secretStoreRef:
+    name: keycloak
+    kind: ClusterSecretStore
+  refreshInterval: "0"
+  target:
+    name: auth-generic-oauth-secret
+    template:
+      engineVersion: v2
+      data:
+        client_secret: "{{.FORGEJO_CLIENT_SECRET}}"
+  data:
+    - secretKey: FORGEJO_CLIENT_SECRET
+      remoteRef:
+        key: keycloak-clients
+        property: FORGEJO_CLIENT_SECRET
\ No newline at end of file
diff --git a/template/stacks/core/forgejo/secret.yaml b/template/stacks/core/forgejo/secret.yaml
deleted file mode 100644
index 7d33fd6..0000000
--- a/template/stacks/core/forgejo/secret.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: forgejo-oidc
-  namespace: gitea
-type: Opaque
-stringData:
-  key: forgejo
-  secret: uWEGALJKmNyUojJaK5LAK0w4OCEEDpDu
\ No newline at end of file
diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml
index 4d81041..b24d023 100644
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@@ -31,7 +31,7 @@ gitea:
       ENABLE_AUTO_REGISTRATION: true
       ACCOUNT_LINKING: auto      
 #  oauth:
-#   - name: 'Keycloak'
+#    - name: 'Keycloak'
 #      provider: 'openidConnect'
 #      # key: 'forgejo'
 #      # secret: 'uWEGALJKmNyUojJaK5LAK0w4OCEEDpDu'

From 4ae8f6fd15c8702cf184802c841feb552850c19f Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Tue, 4 Mar 2025 18:49:55 +0100
Subject: [PATCH 40/49] shortened retry backoff

---
 template/stacks/ref-implementation/argo-workflows.yaml | 4 ++++
 template/stacks/ref-implementation/backstage.yaml      | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/template/stacks/ref-implementation/argo-workflows.yaml b/template/stacks/ref-implementation/argo-workflows.yaml
index 3d33891..d001daa 100644
--- a/template/stacks/ref-implementation/argo-workflows.yaml
+++ b/template/stacks/ref-implementation/argo-workflows.yaml
@@ -23,3 +23,7 @@ spec:
       selfHeal: true
     retry:
       limit: -1
+      backoff:
+        duration: 5s
+        factor: 1
+        maxDuration: 10s
diff --git a/template/stacks/ref-implementation/backstage.yaml b/template/stacks/ref-implementation/backstage.yaml
index 227d29f..c007181 100644
--- a/template/stacks/ref-implementation/backstage.yaml
+++ b/template/stacks/ref-implementation/backstage.yaml
@@ -23,3 +23,7 @@ spec:
       selfHeal: true
     retry:
       limit: -1
+      backoff:
+        duration: 5s
+        factor: 1
+        maxDuration: 10s

From aba4a4a0880690dfc1df99c44228eb5e7b3e7a84 Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Tue, 4 Mar 2025 19:03:36 +0100
Subject: [PATCH 41/49] shortened retry backoff

---
 template/stacks/ref-implementation/argo-workflows.yaml | 4 ++--
 template/stacks/ref-implementation/backstage.yaml      | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/template/stacks/ref-implementation/argo-workflows.yaml b/template/stacks/ref-implementation/argo-workflows.yaml
index d001daa..ef23482 100644
--- a/template/stacks/ref-implementation/argo-workflows.yaml
+++ b/template/stacks/ref-implementation/argo-workflows.yaml
@@ -24,6 +24,6 @@ spec:
     retry:
       limit: -1
       backoff:
-        duration: 5s
+        duration: 15s
         factor: 1
-        maxDuration: 10s
+        maxDuration: 15s
diff --git a/template/stacks/ref-implementation/backstage.yaml b/template/stacks/ref-implementation/backstage.yaml
index c007181..01932dc 100644
--- a/template/stacks/ref-implementation/backstage.yaml
+++ b/template/stacks/ref-implementation/backstage.yaml
@@ -24,6 +24,6 @@ spec:
     retry:
       limit: -1
       backoff:
-        duration: 5s
+        duration: 15s
         factor: 1
-        maxDuration: 10s
+        maxDuration: 15s

From d0cce6916d367cad1b25cd3da77c19ddfd7f1e06 Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Tue, 4 Mar 2025 19:06:11 +0100
Subject: [PATCH 42/49] fixed argocd version

---
 template/stacks/core/argocd.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml
index 4433721..4f65e09 100644
--- a/template/stacks/core/argocd.yaml
+++ b/template/stacks/core/argocd.yaml
@@ -21,7 +21,7 @@ spec:
       # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged
       # As logout make problems, it is suggested to switch from path based routing to an own argocd domain,
       # similar to the CNOE amazon reference implementation and in our case, Forgejo
-      targetRevision: argo-cd-7.6.12
+      targetRevision: argo-cd-7.7.5
       helm:
         valueFiles:
           - $values/stacks/core/argocd/values.yaml

From a9c69d6c24cd5f6b7032e8513d4afd4ba867b5f2 Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Tue, 4 Mar 2025 19:23:19 +0100
Subject: [PATCH 43/49] adjusted retry backoff time

---
 template/stacks/monitoring/kube-prometheus-sso.yaml | 6 ++++++
 template/stacks/monitoring/kube-prometheus.yaml     | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/template/stacks/monitoring/kube-prometheus-sso.yaml b/template/stacks/monitoring/kube-prometheus-sso.yaml
index d38d81e..0e6e43a 100644
--- a/template/stacks/monitoring/kube-prometheus-sso.yaml
+++ b/template/stacks/monitoring/kube-prometheus-sso.yaml
@@ -21,3 +21,9 @@ spec:
       - CreateNamespace=true
     automated:
       selfHeal: true
+    retry:
+      limit: -1
+      backoff:
+        duration: 15s
+        factor: 1
+        maxDuration: 15s
diff --git a/template/stacks/monitoring/kube-prometheus.yaml b/template/stacks/monitoring/kube-prometheus.yaml
index 1f5218c..7bcf3ca 100644
--- a/template/stacks/monitoring/kube-prometheus.yaml
+++ b/template/stacks/monitoring/kube-prometheus.yaml
@@ -17,6 +17,10 @@ spec:
       - ServerSideApply=true  # do not copy metdata, since (because of its large size) it can lead to sync failure
     retry:
       limit: -1
+      backoff:
+        duration: 15s
+        factor: 1
+        maxDuration: 15s
   destination:
     name: in-cluster
     namespace: monitoring

From c298530caa1dd640d7dad8986b7136dc01bf7ef8 Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Wed, 5 Mar 2025 12:39:34 +0100
Subject: [PATCH 44/49] fixes syntax error

---
 .../ref-implementation/keycloak/manifests/keycloak-config.yaml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index e6d0a4c..0e202f1 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -378,7 +378,7 @@ spec:
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
               
-              curl -sS -H "Content-Type: application/json" \
+              BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
 

From 68166e110e976af2dbce8a3357866e1ec501cdb9 Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Wed, 5 Mar 2025 14:46:11 +0100
Subject: [PATCH 45/49] adds defaultClientScopes to forgejo-client-payload.json

---
 .../keycloak/manifests/keycloak-config.yaml              | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index 0e202f1..752ba7d 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -208,6 +208,15 @@ data:
       "webOrigins": [
         "/*"
       ]
+      "defaultClientScopes": [
+        "web-origins",
+        "acr",
+        "offline_access",
+        "roles",
+        "profile",
+        "groups",
+        "email"
+      ]
     }
 
 ---

From 1ab8119063b54aba69dfcef1508e591d461e0065 Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Fri, 7 Mar 2025 20:28:39 +0000
Subject: [PATCH 46/49] Fixed kubectl download on Linux ARM64 VMs

---
 .../keycloak/manifests/keycloak-config.yaml                 | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index c271336..6c8d603 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -285,7 +285,11 @@ spec:
               fi
               set -e
               
-              curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/amd64/kubectl"
+              if [[ "$(uname -m)" == "x86_64" ]]; then
+                curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/amd64/kubectl"
+              else
+                curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/arm64/kubectl"
+              fi
               chmod +x kubectl
               
               echo "creating cnoe realm and groups"

From 303d7b3a7e9e1b44aeecf497ffbfc17d83c34fed Mon Sep 17 00:00:00 2001
From: richardrobertreitz <Richard-Robert.Reitz@telekom.de>
Date: Sat, 8 Mar 2025 12:50:23 +0000
Subject: [PATCH 47/49] Update
 template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml

---
 .../skeleton/.github/workflows/maven-build.yml            | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml b/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml
index c750bd4..62cbd53 100644
--- a/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml
+++ b/template/stacks/ref-implementation/backstage-templates/entities/spring-petclinic/skeleton/.github/workflows/maven-build.yml
@@ -33,7 +33,7 @@ jobs:
         #run: ./mvnw spring-boot:build-image # the original image build
         run: |
           export CONTAINER_REPO=$(echo {% raw %}${{ env.GITHUB_REPOSITORY }}{% endraw %} | tr '[:upper:]' '[:lower:]')
-          ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage={{{ .Env.DOMAIN_GITEA }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ github.actor }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %}
+          ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:build -Djib.allowInsecureRegistries=true -Dimage={{{ .Env.DOMAIN_GITEA }}}/${CONTAINER_REPO}:latest -Djib.to.auth.username={% raw %}${{ github.actor }}{% endraw %} -Djib.to.auth.password={% raw %}${{ secrets.PACKAGES_TOKEN }}{% endraw %} -Djib.from.platforms=linux/arm64,linux/amd64
       - name: Build image as tar
         run: |
           ./mvnw com.google.cloud.tools:jib-maven-plugin:3.4.4:buildTar -Djib.allowInsecureRegistries=true
@@ -57,7 +57,11 @@ jobs:
           NODE_TLS_REJECT_UNAUTHORIZED: 0 # This is necessary due to self signed certs for forgejo, proper setups can skip this
       - name: install trivy from deb package
         run: |
-          wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-64bit.deb
+          if [[ "$(uname -m)" == "x86_64" ]]; then
+            wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-64bit.deb
+          else
+            wget -O trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-ARM64.deb
+          fi
           DEBIAN_FRONTEND=noninteractive dpkg -i trivy.deb
       - name: scan the image
         run: trivy image --input jib-image.tar

From d972b3846c31bf3626bc2dd622486a837f3f7f18 Mon Sep 17 00:00:00 2001
From: "franz.germann" <franz.germann@telekom.de>
Date: Mon, 10 Mar 2025 10:38:37 +0100
Subject: [PATCH 48/49] adds tip for admin permissions

---
 template/stacks/core/forgejo/values.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml
index b24d023..1517571 100644
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@@ -36,7 +36,8 @@ gitea:
 #      # key: 'forgejo'
 #      # secret: 'uWEGALJKmNyUojJaK5LAK0w4OCEEDpDu'
 #      existingSecret: forgejo-oidc
-#      autoDiscoverUrl: 'https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration'  
+#      autoDiscoverUrl: 'https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/.well-known/openid-configuration'
+#      # admin-group: is to specify which keycloak group has forgejo admin permissions  
 
 service:
   ssh:

From 364a65a6be4f8e5b7ab7a6bc9584ab5bdc9287e2 Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Tue, 11 Mar 2025 13:08:15 +0100
Subject: [PATCH 49/49] alloy configuration added

---
 template/stacks/monitoring/alloy.yaml        | 29 ++++++++++++++++++++
 template/stacks/monitoring/alloy/values.yaml |  4 +++
 2 files changed, 33 insertions(+)
 create mode 100644 template/stacks/monitoring/alloy.yaml
 create mode 100644 template/stacks/monitoring/alloy/values.yaml

diff --git a/template/stacks/monitoring/alloy.yaml b/template/stacks/monitoring/alloy.yaml
new file mode 100644
index 0000000..7d4d614
--- /dev/null
+++ b/template/stacks/monitoring/alloy.yaml
@@ -0,0 +1,29 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: alloy
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  destination:
+    name: in-cluster
+    namespace: monitoring
+  sources:
+    - repoURL: https://github.com/grafana/alloy.git
+      path: operations/helm/charts/alloy   
+      targetRevision: HEAD      
+      helm:
+        valueFiles:
+          - $values/stacks/monitoring/alloy/values.yaml
+    - repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder
+      targetRevision: HEAD
+      ref: values
\ No newline at end of file
diff --git a/template/stacks/monitoring/alloy/values.yaml b/template/stacks/monitoring/alloy/values.yaml
new file mode 100644
index 0000000..3f038fa
--- /dev/null
+++ b/template/stacks/monitoring/alloy/values.yaml
@@ -0,0 +1,4 @@
+alloy:
+  create: false
+  name: alloy-config
+  key: config.alloy