KC deploy 3

KC deploy 2
KC deploy
2026-05-04 15:00:28 +02:00 · 2026-05-04 14:56:06 +02:00 · 2026-05-04 13:49:18 +02:00 · 2026-05-04 12:08:32 +02:00 · 2026-04-30 19:08:24 +02:00 · 2026-04-30 18:24:34 +02:00
27 changed files with 560 additions and 42 deletions
--- a/apps/overlays/upc-dev/dbunk-demo/dbunk-demo.yaml
+++ b/apps/overlays/upc-dev/dbunk-demo/dbunk-demo.yaml
@@ -0,0 +1,47 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dbunk-demo
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "12"
+  labels:
+    app.kubernetes.io/name: dbunk-demo
+    app.kubernetes.io/part-of: apps
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
+    path: forteapp
+    targetRevision: HEAD
+    helm:
+      valueFiles:
+      - $values/dbunk-demo/values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: dbunk-demo
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
--- a/apps/overlays/upc-dev/dbunk-demo/kustomization.yaml
+++ b/apps/overlays/upc-dev/dbunk-demo/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- dbunk-demo.yaml
--- a/apps/overlays/upc-dev/feedback/feedback.yaml
+++ b/apps/overlays/upc-dev/feedback/feedback.yaml
@@ -0,0 +1,53 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: feedback
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "12"
+  labels:
+    app.kubernetes.io/name: feedback
+    app.kubernetes.io/part-of: apps
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
+    path: forteapp
+    targetRevision: HEAD
+    helm:
+      valueFiles:
+      - $values/feedback/values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: feedback
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates
--- a/apps/overlays/upc-dev/feedback/kustomization.yaml
+++ b/apps/overlays/upc-dev/feedback/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- feedback.yaml
--- a/apps/overlays/upc-dev/kustomization.yaml
+++ b/apps/overlays/upc-dev/kustomization.yaml
@@ -2,6 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
+- dbunk-demo
+- feedback

 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -28,7 +28,6 @@ Bootstrap()
 Gitea()
 {
    echo "Installing secret..."
-    kubectl apply -f "secrets/"
    kubectl apply -f "private/${CLUSTER}/gitea-repo-main.yaml"
    kubectl apply -f "private/${CLUSTER}/main.key"
 }
--- a/cluster-resources/policies/auth-sidecar-injector.yaml
+++ b/cluster-resources/policies/auth-sidecar-injector.yaml
@@ -245,6 +245,12 @@ spec:
                secretKeyRef:
                  name: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret\" || 'auth-oidc' }}"
                  key: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret-key\" || 'client-secret' }}"
+            - name: AUTH_OIDC_IDP_HINT
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-idp-hint\" || '' }}"
+            - name: AUTH_OIDC_BROKER_ALIAS
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-broker-alias\" || '' }}"
+            - name: AUTH_OIDC_BROKER_TOKEN_HEADER
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-broker-token-header\" || '' }}"
            resources:
              limits:
                cpu: 50m
@@ -324,6 +330,8 @@ spec:
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-public-paths\" || '/healthz' }}"
            - name: AUTH_MCP_SCOPES_SUPPORTED
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-scopes\" || 'profile'  }}"
+            - name: AUTH_MCP_IDP_HINT
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-idp-hint\" || '' }}"
            resources:
              limits:
                cpu: 50m
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -1384,6 +1384,46 @@ spec:
 - Adds source tracking annotations (`keycloak.forteapps.net/source-namespace`, `keycloak.forteapps.net/source-name`)
 - `synchronize: true` — changes to the source Secret are reflected in the clone

+### Keycloak Microsoft/Entra Identity Provider
+
+**File**: `infra/values/upc-dev/keycloak-values.yaml`
+**Namespace**: `keycloak`
+
+**Purpose**: Configures Microsoft Entra (Azure AD) as an external identity provider for the Forte realm, enabling SSO via Microsoft accounts with token storage for downstream API access (e.g., Microsoft Graph).
+
+**Configuration via keycloakConfigCli**:
+- IdP alias: `forte-entra`, provider: `microsoft`
+- Client secret injected from `microsoft-idp-credentials` Secret via `$(env:MS_IDP_CLIENT_SECRET)` syntax
+- `extraEnvVarsSecret: microsoft-idp-credentials` makes the Secret available as env vars to config-cli
+
+**Key Configuration Notes**:
+
+| Field | Location | Notes |
+|-------|----------|-------|
+| `tenant` | `config.tenant` | **Must be `tenant`, NOT `tenantId`** — wrong key silently falls back to `common` (multi-tenant) |
+| `storeToken` | Top-level IdP field | **NOT inside `config`** — enables broker token storage for KC broker API |
+| `defaultScope` | `config.defaultScope` | Space-separated: `openid email profile User.Read Mail.Send` |
+| `syncMode` | `config.syncMode` | `IMPORT` — imports user on first login |
+
+**Token Storage & Broker Access**:
+- `storeToken: true` persists the Entra access token in Keycloak
+- Realm role `default-roles-forte` includes composite `broker.read-token` — grants all realm users access to broker token API
+- Broker token retrievable via: `GET /realms/forte/broker/forte-entra/token`
+
+**Identity Provider Mappers**:
+- `forte-entra-email`: Hardcodes `emailVerified=true` for Entra-authenticated users (Entra guarantees email verification)
+
+**Required Secret** (`microsoft-idp-credentials`):
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: microsoft-idp-credentials
+  namespace: keycloak
+stringData:
+  MS_IDP_CLIENT_SECRET: "<entra-app-client-secret>"
+```
+
 ### Default Namespace Blocker

 **File**: `cluster-resources/policies/default-ns-blocker.yaml`
--- a/infra/base/homepage/homepage-extra-rbac.yaml
+++ b/infra/base/homepage/homepage-extra-rbac.yaml
@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: homepage-services-reader
+rules:
+- apiGroups: [""]
+  resources: ["services"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: homepage-services-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: homepage-services-reader
+subjects:
+- kind: ServiceAccount
+  name: homepage
+  namespace: homepage
--- a/infra/base/homepage/homepage-widget-credentials-sealed.yaml
+++ b/infra/base/homepage/homepage-widget-credentials-sealed.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: homepage-widget-credentials
+  namespace: homepage
+spec:
+  encryptedData:
+    HOMEPAGE_VAR_GITEA_TOKEN: AgAVN1C931EQpn+sodr3CpjlhORfJVTW8aUr+pGZQb+65Pb8QLGeVGVa7Jv60gDJUX3r+93/jMrEbCOeDL6I4qCz/V35wMCxFZLnXIdkmto0W4MKt6cK8To1/OP7EhQJOGBlSuOFsrwoy+HDtvLIqmyF0nrxhTusm9/NHrw+gCVwSTPhiAX1MCuSOSRWpbXvyNphW8j7aqUaV6ixDt424Fe4alEIShYELcS3EX/VPgsf2p2bhvBRCQOh3LEprkuxSFMuPfCBk06TPTbIN4saNVm0Ke0zW/pxkVNSiIxEnKjOmpPJtacsfWN7du+nQbx276G2qvWrf+iawJVq0Z/SLikA/NUFBL6EjSRfgE3cSOri8sbxsd0AycsFGyp98EM29wE+WOQl52M/lwl02EmCivqkICSO7Jp9pM1ScbmRMa5vcnupsGbVDxhRKLqxhAskt/BXDkRzvHN31gH3YmelES3JuqNMHV0urFxmX2oOX9Pxbtv63csc+zhy1Ui5aoex7TPnLdk7kYLSAE2MSrzT6wHvVhBC5kNnDYVrLehvJrT+eNh0MOLx2wkuJmIOxRAGUyNi5DfDnP6qnvj2aefEymLuOXAIUXH8DbeBtrjsd74HX2hhIfBlPkXvhJR3ks7i5RXjK2/YYHkgJ+nJoW80S9N7ciaRy103g74TNJZt6QzzL5Vb80qZ6yQOD4G081KmTLDmhHjJVIIv9M3nLh2s0IeBV3/Z5qHZmtjN7sSaKAn4MIr5FaH9quhx
+    HOMEPAGE_VAR_GRAFANA_TOKEN: AgBloBlOlP+R/4VizE1CGpj0wyiwU14BemAnuUpld7OvOGc67dwfDPyponkQXjAZg3UU2cZ70A51WUAuVlAr+25Ktlf/FW2OBqj+1BJOCqMMyu+kv026yjX2aB8dKGzlTxgF8aji+j1mC8vP3vvmgI4Zf2HQAH7uFwLfeo8+QnV5EyhcExSS0xDne+VtOP9jNXbPRayry0DdyRVtaeKAiZacO+45oAJWszWOwmoMTg9FZQkLjER6Q0tyI6NnoNObsFCnh56chZTdzBOYtmPnwld1bP2FjoJDqn8AfRwbPTIj7t0eFP7WLUO7GQKpxVl+pFwJLb5xCOw2+HNtp1BhNCu7icuc0P88IlvwzkbN0lXJbYigVOzyjEo8f/al1DXPM4WaB/Nqmr7Mtt8KTRh2WMVTgiX5jsu25D0rGDvY9gqfBBqswkRhCLsG0v0EN32zXj1/52KYdmB7pk/+2lMwSaGMS11MOenHeU1Z95fGxm9f3EGF0E8xlFr4FowgsNwr+tJQqpM0bT/4mZnaQbGWtKPFizMtsfQFm+rHFcNCrGaOuecslmiIJs8lTm18KlrncsGfxNS64tVXk+LvydU0rwybvpg2rQjEWtAl1IQsaaiz96OAlYxxK1MGxN7KE6F8R4kfnWTZ5Fs1KMmd/DOIVBXyCbqXxk8pbekmaIeNSfv92JNZ0QNJWsBa2vgQ24WI2pb4XiR0BvtLpt3BVlZUcSK92SzUblWmYWVMwHYCJkEeEUV1PhYEmyiN+V/Kq5Qb
+  template:
+    metadata:
+      creationTimestamp: null
+      name: homepage-widget-credentials
+      namespace: homepage
--- a/infra/base/homepage/kustomization.yaml
+++ b/infra/base/homepage/kustomization.yaml
@@ -2,3 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - homepage.yaml
+- homepage-widget-credentials-sealed.yaml
+- homepage-extra-rbac.yaml
--- a/infra/base/kustomization.yaml
+++ b/infra/base/kustomization.yaml
@@ -22,3 +22,4 @@ resources:
 - karpor
 - databunker
 - homepage
+- vault
--- a/infra/base/kyverno-policies/kyverno-policies.yaml
+++ b/infra/base/kyverno-policies/kyverno-policies.yaml
@@ -27,7 +27,6 @@ spec:
    automated:
      prune: true
      selfHeal: true
-      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
--- a/infra/base/vault/kustomization.yaml
+++ b/infra/base/vault/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- vault.yaml
--- a/infra/base/vault/vault.yaml
+++ b/infra/base/vault/vault.yaml
@@ -0,0 +1,49 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vault
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  labels:
+    app.kubernetes.io/name: vault
+    app.kubernetes.io/part-of: security
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: https://helm.releases.hashicorp.com
+    chart: vault
+    targetRevision: "0.32.0"
+    helm:
+      releaseName: vault
+      valueFiles:
+      - $values/infra/values/base/vault-values.yaml
+      - $values/infra/values/upc-dev/vault-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: vault
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates
--- a/infra/overlays/upc-dev/entra-upc-dev-credentials-sealed.yaml
+++ b/infra/overlays/upc-dev/entra-upc-dev-credentials-sealed.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: microsoft-idp-credentials
+  namespace: keycloak
+spec:
+  encryptedData:
+    MS_IDP_CLIENT_SECRET: AgBGeloOR8LVop8yluydjc7qj4JUkb85z7B3h07i3xLPup1ojgSqtx08huv+8gvSaFoPdxOY8g23iuKeAr2b2A70paHv0ILSVRsIpxzjuao4aDRWxMHD/SFzvitvqaXD1eQUcBNRDk/1NOG0o5b9o4ddMWkNmyCYuZcmOyx18DC1kFrcWGUgJkLTr+YRZcLJ2T80obZ+y4zztYc+vNQlu11KSIALz++c9XzK2XYSdOMdFHmzadWxoCjvkJqG4W5C6AQBlYa7NSydyU6K3TnwS4VHF8w1DRNneM/IuHLMNbcL8WZjHlSS8xgXFUMhG4rkejwM6joQLx57OosTQe1/xdCOPBXq4NO8Q76RXXkoI0EYMbzfK33vr4NVh8zmBUYxhaeQySh2jYdYp7t/79UzvP7jtGYUgqIZNEBqbDKkzvXsJ4dHJnss8U8lWVgLev31ZhaTjIr3A8VKDPbJKIRZPO71/4DiCF0WKLYNKfbYJ5tsyTxivFWDY5NPNkKkgXk4QoScZ3r4bYNZjDp1rC5zCRPGf0Lt1C5Zovx1HTUjpGpAFVi7DyNmEc0uXn2sTwPARAuAj8str+RnlRNzBkpPWKdlOoDVPTSA41dSTfUVZMlQlluu4fdDgGj5sEnhEN0iIxZNRwU/2DD2AVSqG+KtdIkfH6/j0jzdFn4D3Ha6vwAsBIURK4Ird/pLuNGGCDB+LrrNGXDTTKAPFydCuRtpyoM9kFOtSZb7T7q6Vfkqa7LfgP8mdG9JGXJx
+  template:
+    metadata:
+      creationTimestamp: null
+      name: microsoft-idp-credentials
+      namespace: keycloak
--- a/infra/overlays/upc-dev/kustomization.yaml
+++ b/infra/overlays/upc-dev/kustomization.yaml
@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
+- entra-upc-dev-credentials-sealed.yaml

 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
--- a/infra/values/base/argocd-values.yaml
+++ b/infra/values/base/argocd-values.yaml
@@ -39,11 +39,8 @@ server:
      gethomepage.dev/name: "ArgoCD"
      gethomepage.dev/description: "GitOps continuous delivery"
      gethomepage.dev/group: "DevOps"
-      gethomepage.dev/icon: "argocd"
+      gethomepage.dev/icon: "argo-cd"
      gethomepage.dev/href: "https://argocd.forteapps.net"
-      gethomepage.dev/widget.type: "argocd"
-      gethomepage.dev/widget.url: "https://argocd.forteapps.net"
-      # gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_ARGOCD_TOKEN}}"
    tls: true
  extraArgs:
  - --insecure
--- a/infra/values/base/gitea-values.yaml
+++ b/infra/values/base/gitea-values.yaml
@@ -122,7 +122,7 @@ ingress:
    gethomepage.dev/href: "https://git.forteapps.net"
    gethomepage.dev/widget.type: "gitea"
    gethomepage.dev/widget.url: "https://git.forteapps.net"
-    # gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GITEA_TOKEN}}"
+    gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GITEA_TOKEN}}"
  hosts:
  - host: git.forteapps.net
    paths:
--- a/infra/values/base/grafana-values.yaml
+++ b/infra/values/base/grafana-values.yaml
@@ -9,15 +9,15 @@ ingress:
    gethomepage.dev/group: "Monitoring"
    gethomepage.dev/icon: "grafana"
    gethomepage.dev/href: "https://grafana.forteapps.net"
-    gethomepage.dev/widget.type: "grafana"
-    gethomepage.dev/widget.url: "https://grafana.forteapps.net"
-    # gethomepage.dev/widget.username: "{{HOMEPAGE_VAR_GRAFANA_USER}}"
-    # gethomepage.dev/widget.password: "{{HOMEPAGE_VAR_GRAFANA_PASSWORD}}"
  tls:
  - secretName: grafana-tls
    hosts:
    - grafana.forteapps.net

+persistence:
+  enabled: true
+  size: 1Gi
+
 resources:
  requests:
    cpu: 50m
--- a/infra/values/base/homepage-values.yaml
+++ b/infra/values/base/homepage-values.yaml
@@ -14,20 +14,28 @@ config:
  # Scan all namespaces for services with gethomepage.dev/enabled: "true"
  kubernetes:
    mode: cluster
+    traefik: true

  settings:
-    title: "Forte Platform"
+    title: "Platform"
    headerStyle: clean
    layout:
+      Apps:
+        style: row
+        columns: 3
+      Security:
+        style: row
+        columns: 3
+      Tools:
+        style: row
+        header: false
+        columns: 2
        DevOps:
-        style: row
-        columns: 4
-      Identity:
-        style: row
-        columns: 4
+          style: column
+          rows: 2
        Monitoring:
-        style: row
-        columns: 4
+          style: column
+          rows: 1

  # Top-of-page cluster overview widget
  widgets:
@@ -39,14 +47,14 @@ config:
        showLabel: true
        label: "Cluster"
      nodes:
-        show: false
-  # Both empty — all entries come from K8s service annotations
+        show: true
+        cpu: true
+        memory: true
+        showLabel: true
+  # In-cluster entries come from K8s service annotations.
+  # External (out-of-cluster) services are listed here statically.
  bookmarks: []
  services: []
-  # Widget API credentials (optional — add via SealedSecret + envFrom below)
-  # Homepage reads HOMEPAGE_VAR_* env vars and substitutes them in widget annotations.
-  # Example: gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GRAFANA_TOKEN}}"
-  # To enable: create a sealed secret and add envFrom to load it.

 resources:
  requests:
@@ -55,3 +63,10 @@ resources:
  limits:
    cpu: 100m
    memory: 256Mi
+
+env:
+- name: HOMEPAGE_ALLOWED_HOSTS
+  value: start.forteapps.net
+envFrom:
+- secretRef:
+    name: homepage-widget-credentials
--- a/infra/values/base/keycloak-values.yaml
+++ b/infra/values/base/keycloak-values.yaml
@@ -21,9 +21,9 @@ ingress:
    gethomepage.dev/enabled: "true"
    gethomepage.dev/name: "Keycloak"
    gethomepage.dev/description: "Identity & access management"
-    gethomepage.dev/group: "Identity"
+    gethomepage.dev/group: "Security"
    gethomepage.dev/icon: "keycloak"
-    gethomepage.dev/href: "https://id.forteapps.net"
+    gethomepage.dev/href: "https://id.forteapps.net/admin/forte-test/console/"

 metrics:
  enabled: true
@@ -259,7 +259,7 @@ extraDeploy:
                ADMIN_PASS=$(cat /secrets/admin-password)

                echo "Authenticating to Keycloak..."
-                TOKEN=$(curl -sf -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \
+                TOKEN=$(curl -s -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \
                  -d "client_id=admin-cli" \
                  -d "username=${ADMIN_USER}" \
                  -d "password=${ADMIN_PASS}" \
@@ -276,7 +276,7 @@ extraDeploy:
                upsert_secret() {
                  local ns="$1" name="$2" manifest="$3"
                  local code
-                  code=$(curl -sf -o /dev/null -w "%{http_code}" \
+                  code=$(curl -s -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    -H "Content-Type: application/json" \
@@ -285,7 +285,7 @@ extraDeploy:
                  if [ "$code" = "200" ]; then
                    echo "  Updated secret '${ns}/${name}'"
                  elif [ "$code" = "404" ]; then
-                    code=$(curl -sf -o /dev/null -w "%{http_code}" \
+                    code=$(curl -s -o /dev/null -w "%{http_code}" \
                      --cacert "$CA_CERT" \
                      -H "Authorization: Bearer ${SA_TOKEN}" \
                      -H "Content-Type: application/json" \
@@ -332,7 +332,7 @@ extraDeploy:

                  # Get the client secret from Keycloak
                  local secret_value
-                  secret_value=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
+                  secret_value=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${client_uuid}/client-secret" \
                    | jq -r '.value')

@@ -347,7 +347,7 @@ extraDeploy:

                  # Write to target namespace (if it exists)
                  local ns_status
-                  ns_status=$(curl -sf -o /dev/null -w "%{http_code}" \
+                  ns_status=$(curl -s -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    "${K8S_API}/api/v1/namespaces/${target_ns}")
@@ -371,12 +371,12 @@ extraDeploy:
                  local ns="$1" name="$2" key="$3" value="$4"
                  local patch
                  patch=$(printf '{"metadata":{"annotations":{"%s":"%s"}}}' "$key" "$value")
-                  curl -sf -o /dev/null \
+                  curl -s -o /dev/null \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    -H "Content-Type: application/strategic-merge-patch+json" \
                    -X PATCH -d "$patch" \
-                    "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}"
+                    "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}" || true
                }

                # =============================================
@@ -384,7 +384,7 @@ extraDeploy:
                # =============================================
                echo "=== Legacy sync: clients with k8s.secret.sync=true ==="

-                CLIENTS=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
+                CLIENTS=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
                  "${KEYCLOAK_URL}/admin/realms/${REALM}/clients")

                SYNC_CLIENTS=$(echo "$CLIENTS" | jq -c '[.[] | select(.attributes["k8s.secret.sync"] == "true")]')
@@ -409,7 +409,7 @@ extraDeploy:
                echo ""
                echo "=== Self-service: config Secrets with label keycloak.forteapps.net/client-config=true ==="

-                CONFIG_SECRETS=$(curl -sf \
+                CONFIG_SECRETS=$(curl -s \
                  --cacert "$CA_CERT" \
                  -H "Authorization: Bearer ${SA_TOKEN}" \
                  "${K8S_API}/api/v1/namespaces/keycloak/secrets?labelSelector=keycloak.forteapps.net/client-config=true")
@@ -430,6 +430,10 @@ extraDeploy:
                  CLIENT_JSON=$(printf '%s' "$CLIENT_JSON_B64" | base64 -d)

                  CLIENT_ID=$(echo "$CLIENT_JSON" | jq -r '.clientId')
+                  if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
+                    echo "ERROR: Could not extract clientId from config '${CONFIG_NAME}', skipping"
+                    continue
+                  fi
                  echo "Processing self-service client '${CLIENT_ID}' from config '${CONFIG_NAME}'"

                  # Compute config hash for change detection
@@ -443,7 +447,7 @@ extraDeploy:
                  CRED_SECRET_KEY=$(echo "$CLIENT_JSON" | jq -r '.secret.keys.clientSecret // "client-secret"')

                  # Check if credential Secret already exists in target namespace
-                  CRED_EXISTS=$(curl -sf -o /dev/null -w "%{http_code}" \
+                  CRED_EXISTS=$(curl -s -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    "${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}")
@@ -466,18 +470,17 @@ extraDeploy:
                    publicClient: false,
                    redirectUris: .redirectUris,
                    webOrigins: .webOrigins,
-                    defaultClientScopes: .defaultClientScopes,
                    protocolMappers: (.protocolMappers // [])
-                  }')
+                  } + if .defaultClientScopes then {defaultClientScopes: .defaultClientScopes} else {} end')

                  # Check if client already exists
-                  EXISTING=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
+                  EXISTING=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
                    | jq -r '.[0].id // empty')

                  if [ -n "$EXISTING" ]; then
                    echo "  Updating existing Keycloak client (uuid: ${EXISTING})"
-                    HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
+                    HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
                      -H "Authorization: Bearer ${TOKEN}" \
                      -H "Content-Type: application/json" \
                      -X PUT -d "$KC_CLIENT" \
@@ -490,7 +493,7 @@ extraDeploy:
                    CLIENT_UUID="$EXISTING"
                  else
                    echo "  Creating new Keycloak client '${CLIENT_ID}'"
-                    HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
+                    HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
                      -H "Authorization: Bearer ${TOKEN}" \
                      -H "Content-Type: application/json" \
                      -X POST -d "$KC_CLIENT" \
@@ -501,11 +504,37 @@ extraDeploy:
                      continue
                    fi
                    # Fetch the newly created client's UUID
-                    CLIENT_UUID=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
+                    CLIENT_UUID=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
                      | jq -r '.[0].id')
                  fi

+                  # Assign default client scopes (KC REST API ignores defaultClientScopes in POST/PUT body)
+                  REQUESTED_SCOPES=$(echo "$CLIENT_JSON" | jq -r '.defaultClientScopes // [] | .[]' 2>/dev/null)
+                  if [ -n "$REQUESTED_SCOPES" ]; then
+                    # Fetch all realm client scopes once
+                    ALL_SCOPES=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
+                      "${KEYCLOAK_URL}/admin/realms/${REALM}/client-scopes")
+
+                    echo "$REQUESTED_SCOPES" | while read -r SCOPE_NAME; do
+                      [ -z "$SCOPE_NAME" ] && continue
+                      SCOPE_ID=$(echo "$ALL_SCOPES" | jq -r --arg name "$SCOPE_NAME" '.[] | select(.name == $name) | .id // empty')
+                      if [ -z "$SCOPE_ID" ]; then
+                        echo "  WARNING: Scope '${SCOPE_NAME}' not found in realm, skipping"
+                        continue
+                      fi
+                      SC_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
+                        -H "Authorization: Bearer ${TOKEN}" \
+                        -X PUT \
+                        "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${CLIENT_UUID}/default-client-scopes/${SCOPE_ID}")
+                      if [ "$SC_CODE" = "204" ] || [ "$SC_CODE" = "200" ]; then
+                        echo "  Assigned scope '${SCOPE_NAME}'"
+                      else
+                        echo "  WARNING: Failed to assign scope '${SCOPE_NAME}' (HTTP ${SC_CODE})"
+                      fi
+                    done
+                  fi
+
                  # Sync credentials to target namespace
                  sync_credentials "$CLIENT_ID" "$CLIENT_UUID" "$CRED_NS" "$CRED_NAME" "$CRED_ID_KEY" "$CRED_SECRET_KEY"

--- a/infra/values/base/vault-values.yaml
+++ b/infra/values/base/vault-values.yaml
@@ -0,0 +1,36 @@
+# HashiCorp Vault Helm Chart Values
+# Chart: hashicorp/vault v0.32.0
+
+server:
+  standalone:
+    enabled: true
+
+  dataStorage:
+    enabled: true
+    size: 5Gi
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 250m
+      memory: 256Mi
+
+  ingress:
+    enabled: true
+    ingressClassName: traefik
+    pathType: Prefix
+    activeService: true
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+      gethomepage.dev/enabled: "true"
+      gethomepage.dev/name: "Vault"
+      gethomepage.dev/description: "Secrets management"
+      gethomepage.dev/group: "Security"
+      gethomepage.dev/icon: "vault"
+      gethomepage.dev/href: "https://vault.forteapps.net"
+
+ui:
+  enabled: true
+  serviceType: ClusterIP
--- a/infra/values/upc-dev/databunker-values.yaml
+++ b/infra/values/upc-dev/databunker-values.yaml
@@ -1,3 +1,10 @@
 ingress:
  enabled: true
  host: databunker.forteapps.net
+  annotations:
+    gethomepage.dev/enabled: "true"
+    gethomepage.dev/name: "Databunker"
+    gethomepage.dev/description: "Secure Database for PII and PCI Records"
+    gethomepage.dev/group: "Security"
+    gethomepage.dev/icon: "double-take"
+    gethomepage.dev/href: "https://databunker.forteapps.net"
--- a/infra/values/upc-dev/homepage-values.yaml
+++ b/infra/values/upc-dev/homepage-values.yaml
@@ -13,3 +13,53 @@ ingress:
    - secretName: homepage-tls
      hosts:
      - start.forteapps.net
+
+config:
+  settings:
+    title: "Forte Platform"
+    headerStyle: clean
+    layout:
+      Apps:
+        style: row
+        columns: 2
+      Security:
+        style: row
+        columns: 3
+      Tools:
+        style: row
+        header: false
+        columns: 2
+        DevOps:
+          style: column
+          rows: 2
+        Monitoring:
+          style: column
+          rows: 1
+
+  # Top-of-page cluster overview widget
+  widgets:
+  - kubernetes:
+      cluster:
+        show: true
+        cpu: true
+        memory: true
+        showLabel: true
+        label: "Cluster"
+      nodes:
+        show: true
+        cpu: true
+        memory: true
+        showLabel: true
+  # In-cluster entries come from K8s service annotations.
+  # External (out-of-cluster) services are listed here statically.
+  bookmarks: []
+  services:
+  - Apps:
+    - Forte Benken:
+        href: https://benken.hackathon.forteapps.net
+        description: Teknisk kompetanse fra offentlige anbud
+        icon: forte
+    - Forte Feedback:
+        href: https://feedback.forteapps.net
+        description: Fortes internal feedback app
+        icon: forte
--- a/infra/values/upc-dev/keycloak-values.yaml
+++ b/infra/values/upc-dev/keycloak-values.yaml
@@ -1,2 +1,112 @@
 ingress:
  hostname: id.forteapps.net
+
+extraEnvVars:
+  - name: KC_FEATURES
+    value: "token-exchange:v1,admin-fine-grained-authz:v1"
+
+keycloakConfigCli:
+  enabled: true
+  extraEnvVars:
+    - name: IMPORT_VAR_SUBSTITUTION_ENABLED
+      value: "true"
+    - name: MS_IDP_CLIENT_SECRET
+      valueFrom:
+        secretKeyRef:
+          name: microsoft-idp-credentials
+          key: MS_IDP_CLIENT_SECRET
+  configuration:
+    microsoft-idp.json: |
+      {
+        "realm": "forte",
+        "authenticationFlows": [
+          {
+            "alias": "auto-link-first-broker-login",
+            "description": "Auto-link IdP accounts to existing users by email",
+            "providerId": "basic-flow",
+            "topLevel": true,
+            "builtIn": false,
+            "authenticationExecutions": [
+              {
+                "authenticator": "idp-create-user-if-unique",
+                "authenticatorFlow": false,
+                "requirement": "ALTERNATIVE",
+                "priority": 10
+              },
+              {
+                "authenticator": "idp-auto-link",
+                "authenticatorFlow": false,
+                "requirement": "ALTERNATIVE",
+                "priority": 20
+              }
+            ]
+          }
+        ],
+        "identityProviders": [
+          {
+            "alias": "forte-entra",
+            "displayName": "Forte Entra",
+            "providerId": "microsoft",
+            "enabled": true,
+            "trustEmail": true,
+            "firstBrokerLoginFlowAlias": "auto-link-first-broker-login",
+            "config": {
+              "clientId": "7995d2b5-b798-4caf-8da6-b00b78bb34d7",
+              "clientSecret": "$(env:MS_IDP_CLIENT_SECRET)",
+              "defaultScope": "openid email profile",
+              "tenantId": "063afd9e-5fcb-48d2-a769-ca31b0f5b443",
+              "syncMode": "IMPORT"
+            }
+          },
+          {
+            "alias": "forte-entra-graph",
+            "displayName": "Forte Entra (Graph)",
+            "providerId": "microsoft",
+            "enabled": true,
+            "storeToken": true,
+            "trustEmail": true,
+            "firstBrokerLoginFlowAlias": "auto-link-first-broker-login",
+            "config": {
+              "clientId": "7995d2b5-b798-4caf-8da6-b00b78bb34d7",
+              "clientSecret": "$(env:MS_IDP_CLIENT_SECRET)",
+              "defaultScope": "openid email profile User.Read Mail.Send",
+              "tenantId": "063afd9e-5fcb-48d2-a769-ca31b0f5b443",
+              "syncMode": "IMPORT"
+            }
+          }
+        ],
+        "identityProviderMappers": [
+          {
+            "name": "forte-entra-email",
+            "identityProviderAlias": "forte-entra",
+            "identityProviderMapper": "hardcoded-attribute-idp-mapper",
+            "config": {
+              "syncMode": "INHERIT",
+              "attribute": "emailVerified",
+              "attribute.value": "true"
+            }
+          },
+          {
+            "name": "forte-entra-graph-email",
+            "identityProviderAlias": "forte-entra-graph",
+            "identityProviderMapper": "hardcoded-attribute-idp-mapper",
+            "config": {
+              "syncMode": "INHERIT",
+              "attribute": "emailVerified",
+              "attribute.value": "true"
+            }
+          }
+        ],
+        "roles": {
+          "realm": [
+            {
+              "name": "default-roles-forte",
+              "composites": {
+                "client": {
+                  "broker": ["read-token"]
+                }
+              }
+            }
+          ]
+        }
+      }
--- a/infra/values/upc-dev/vault-values.yaml
+++ b/infra/values/upc-dev/vault-values.yaml
@@ -0,0 +1,9 @@
+server:
+  ingress:
+    hosts:
+    - host: vault.forteapps.net
+      paths: []
+    tls:
+    - secretName: vault-tls
+      hosts:
+      - vault.forteapps.net
Author	SHA1	Message	Date
Danijel Simeunovic	9d33b6a9c3	KC deploy 3	2026-05-04 15:00:28 +02:00
Danijel Simeunovic	0036d986a8	KC deploy 2	2026-05-04 14:56:06 +02:00
Danijel Simeunovic	70dab12b05	KC deploy	2026-05-04 13:49:18 +02:00
Danijel Simeunovic	47e9619ae2	KC_FEATURES	2026-05-04 12:08:32 +02:00
Danijel Simeunovic	2e09a2d404	ign diff	2026-04-30 19:08:24 +02:00
Danijel Simeunovic	9e9254a466	auto flow	2026-04-30 18:24:34 +02:00
Danijel Simeunovic	539217c3f2	subst	2026-04-30 18:16:25 +02:00
Danijel Simeunovic	80cf435486	test2	2026-04-30 18:11:48 +02:00
Danijel Simeunovic	0d7980d105	env secret	2026-04-30 18:05:09 +02:00
Danijel Simeunovic	f280596ddb	debug	2026-04-30 18:00:08 +02:00
Danijel Simeunovic	65dc795cd6	idp hint	2026-04-30 15:50:23 +02:00
Danijel Simeunovic	237dc0ff90	new idp	2026-04-30 15:34:58 +02:00
Danijel Simeunovic	788cc8f4f4	tenantId	2026-04-30 15:19:37 +02:00
Danijel Simeunovic	4def4d2ed7	cli enable	2026-04-30 15:08:20 +02:00
Danijel Simeunovic	7d1e2d4665	broker alias	2026-04-30 14:49:38 +02:00
Danijel Simeunovic	417185d567	idp auto config Co-authored-by: Copilot <copilot@github.com>	2026-04-30 14:37:13 +02:00
Danijel Simeunovic	03e60a3512	kc syncer	2026-04-30 11:45:30 +02:00
Danijel Simeunovic	2135580210	kc script	2026-04-29 14:42:27 +02:00
Danijel Simeunovic	37a38a1179	feedback app Co-authored-by: Copilot <copilot@github.com>	2026-04-29 14:22:02 +02:00
Danijel Simeunovic	4ca9039686	kpolicy	2026-04-29 12:54:07 +02:00
Danijel Simeunovic	6a9eadbde8	vault ignore diffs	2026-04-29 12:50:10 +02:00
Danijel Simeunovic	f19f7c9237	icon	2026-04-29 12:07:04 +02:00
Danijel Simeunovic	5a459d486e	dbunk-demo	2026-04-29 10:53:35 +02:00
Danijel Simeunovic	31fb476a78	row	2026-04-29 10:06:02 +02:00
Danijel Simeunovic	a088425b70	homepage config	2026-04-29 10:04:20 +02:00
Danijel Simeunovic	b3b3edf82c	no header	2026-04-28 23:03:15 +02:00
Danijel Simeunovic	308755a4b3	layout	2026-04-28 23:02:13 +02:00
Danijel Simeunovic	db6afaf180	vault Co-authored-by: Copilot <copilot@github.com>	2026-04-28 22:44:57 +02:00
Danijel Simeunovic	5a2f9a1b88	Update infra/values/base/keycloak-values.yaml Signed-off-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>	2026-04-28 19:27:38 +00:00
Danijel Simeunovic	1c6f18b67c	homepage	2026-04-28 20:38:59 +02:00