Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity

Compare commits

base: Forte:hotfix/backup
Branches Tags
Forte:main Forte:fix/drop-duplicate-keycloak-secret Forte:feature/dns01 Forte:feat/forte-drop-infra Forte:feature/ppusher Forte:feature/chibisafe Forte:hotfix/backup Forte:feature/vault-migration Forte:feature/hashicorp-vault Forte:feature/homepage Forte:feature/argocd-rbac Forte:feature/argocd-tls Forte:feature/multi-cloud Forte:feature/karpor Forte:feature/backstage Forte:feature/ai-review Forte:gitea-pages Forte:feature/gitea-docs Forte:feature/multicluster Forte:feature/secret-syncing Forte:feature/smtp Forte:renovate/configure
..
compare: Forte:3e590e4a1941174a602bb347bb7c64947552e04b
Branches Tags
Forte:main Forte:fix/drop-duplicate-keycloak-secret Forte:feature/dns01 Forte:feat/forte-drop-infra Forte:feature/ppusher Forte:feature/chibisafe Forte:hotfix/backup Forte:feature/vault-migration Forte:feature/hashicorp-vault Forte:feature/homepage Forte:feature/argocd-rbac Forte:feature/argocd-tls Forte:feature/multi-cloud Forte:feature/karpor Forte:feature/backstage Forte:feature/ai-review Forte:gitea-pages Forte:feature/gitea-docs Forte:feature/multicluster Forte:feature/secret-syncing Forte:feature/smtp Forte:renovate/configure

16 Commits
hotfix/bac ... 3e590e4a19

Author SHA1 Message Date
Danijel Simeunovic
3e590e4a19 Merge branch 'main' of https://git.forteapps.net/Forte/launchpad 2026-04-28 20:11:41 +02:00
Danijel Simeunovic
00128b6beb db home 2026-04-28 20:11:37 +02:00
Danijel Simeunovic
a4599fdf91 icon 2026-04-28 16:50:10 +02:00
Danijel Simeunovic
c76bb562a4 ff homepage 2026-04-28 16:48:29 +02:00
Danijel Simeunovic
53b43da813 traefik enable 2026-04-28 16:02:12 +02:00
Danijel Simeunovic
0ac7f94c26 hp rbac extra 2026-04-28 15:51:53 +02:00
Danijel Simeunovic
6ab8cad193 hp apps 2026-04-28 15:47:13 +02:00
Danijel Simeunovic
9b91b5a26e widgets 2026-04-28 15:29:49 +02:00
Danijel Simeunovic
d8d0b2e1dd argo icon hp 2026-04-28 15:26:14 +02:00
Danijel Simeunovic
5653036f5d no token 2026-04-28 15:16:04 +02:00
Danijel Simeunovic
caf14c90a8 templating fix 2026-04-28 15:03:10 +02:00
Danijel Simeunovic
3880ba843a grafana token 2026-04-28 14:59:59 +02:00
Danijel Simeunovic
27843f3786 token scope 2026-04-28 14:33:27 +02:00
Danijel Simeunovic
1783c76a2d gitea widget 2026-04-28 14:30:59 +02:00
Danijel Simeunovic
e9513da92b hp config 2026-04-28 14:21:01 +02:00
Danijel Simeunovic
f5486a9210 homepage 2026-04-28 14:10:53 +02:00
20 changed files with 36 additions and 496 deletions
Expand all files Collapse all files

47
apps/overlays/upc-dev/dbunk-demo/dbunk-demo.yaml
View File

@@ -1,47 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: dbunk-demo
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "12"
labels:
app.kubernetes.io/name: dbunk-demo
app.kubernetes.io/part-of: apps
app.kubernetes.io/managed-by: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
sources:
- repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
path: forteapp
targetRevision: HEAD
helm:
valueFiles:
- $values/dbunk-demo/values.yaml
- repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
targetRevision: HEAD
ref: values
destination:
server: https://kubernetes.default.svc
namespace: dbunk-demo
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- Validate=true
- ServerSideApply=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m

4
apps/overlays/upc-dev/dbunk-demo/kustomization.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- dbunk-demo.yaml

53
apps/overlays/upc-dev/feedback/feedback.yaml
View File

@@ -1,53 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: feedback
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "12"
labels:
app.kubernetes.io/name: feedback
app.kubernetes.io/part-of: apps
app.kubernetes.io/managed-by: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
sources:
- repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
path: forteapp
targetRevision: HEAD
helm:
valueFiles:
- $values/feedback/values.yaml
- repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
targetRevision: HEAD
ref: values
destination:
server: https://kubernetes.default.svc
namespace: feedback
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- Validate=true
- ServerSideApply=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m
ignoreDifferences:
- group: apps
kind: StatefulSet
jsonPointers:
- /spec/volumeClaimTemplates

4
apps/overlays/upc-dev/feedback/kustomization.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- feedback.yaml

2
apps/overlays/upc-dev/kustomization.yaml
View File

@@ -2,8 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- ../../base - ../../base
- dbunk-demo
- feedback
# No patches needed — base already has "upc-dev" paths # No patches needed — base already has "upc-dev" paths
# upc-dev is the default/base cluster # upc-dev is the default/base cluster

8
cluster-resources/policies/auth-sidecar-injector.yaml
View File

@@ -245,12 +245,6 @@ spec:
secretKeyRef: secretKeyRef:
name: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret\" || 'auth-oidc' }}" name: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret\" || 'auth-oidc' }}"
key: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret-key\" || 'client-secret' }}" key: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret-key\" || 'client-secret' }}"
- name: AUTH_OIDC_IDP_HINT
value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-idp-hint\" || '' }}"
- name: AUTH_OIDC_BROKER_ALIAS
value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-broker-alias\" || '' }}"
- name: AUTH_OIDC_BROKER_TOKEN_HEADER
value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-broker-token-header\" || '' }}"
resources: resources:
limits: limits:
cpu: 50m cpu: 50m
@@ -330,8 +324,6 @@ spec:
value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-public-paths\" || '/healthz' }}" value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-public-paths\" || '/healthz' }}"
- name: AUTH_MCP_SCOPES_SUPPORTED - name: AUTH_MCP_SCOPES_SUPPORTED
value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-scopes\" || 'profile' }}" value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-scopes\" || 'profile' }}"
- name: AUTH_MCP_IDP_HINT
value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-idp-hint\" || '' }}"
resources: resources:
limits: limits:
cpu: 50m cpu: 50m

40
docs/REFERENCE.md
View File

@@ -1384,46 +1384,6 @@ spec:
- Adds source tracking annotations (`keycloak.forteapps.net/source-namespace`, `keycloak.forteapps.net/source-name`) - Adds source tracking annotations (`keycloak.forteapps.net/source-namespace`, `keycloak.forteapps.net/source-name`)
- `synchronize: true` — changes to the source Secret are reflected in the clone - `synchronize: true` — changes to the source Secret are reflected in the clone
### Keycloak Microsoft/Entra Identity Provider
**File**: `infra/values/upc-dev/keycloak-values.yaml`
**Namespace**: `keycloak`
**Purpose**: Configures Microsoft Entra (Azure AD) as an external identity provider for the Forte realm, enabling SSO via Microsoft accounts with token storage for downstream API access (e.g., Microsoft Graph).
**Configuration via keycloakConfigCli**:
- IdP alias: `forte-entra`, provider: `microsoft`
- Client secret injected from `microsoft-idp-credentials` Secret via `$(env:MS_IDP_CLIENT_SECRET)` syntax
- `extraEnvVarsSecret: microsoft-idp-credentials` makes the Secret available as env vars to config-cli
**Key Configuration Notes**:
| Field | Location | Notes |
|-------|----------|-------|
| `tenant` | `config.tenant` | **Must be `tenant`, NOT `tenantId`** — wrong key silently falls back to `common` (multi-tenant) |
| `storeToken` | Top-level IdP field | **NOT inside `config`** — enables broker token storage for KC broker API |
| `defaultScope` | `config.defaultScope` | Space-separated: `openid email profile User.Read Mail.Send` |
| `syncMode` | `config.syncMode` | `IMPORT` — imports user on first login |
**Token Storage & Broker Access**:
- `storeToken: true` persists the Entra access token in Keycloak
- Realm role `default-roles-forte` includes composite `broker.read-token` — grants all realm users access to broker token API
- Broker token retrievable via: `GET /realms/forte/broker/forte-entra/token`
**Identity Provider Mappers**:
- `forte-entra-email`: Hardcodes `emailVerified=true` for Entra-authenticated users (Entra guarantees email verification)
**Required Secret** (`microsoft-idp-credentials`):
```yaml
apiVersion: v1
kind: Secret
metadata:
name: microsoft-idp-credentials
namespace: keycloak
stringData:
MS_IDP_CLIENT_SECRET: "<entra-app-client-secret>"
```
### Default Namespace Blocker ### Default Namespace Blocker
**File**: `cluster-resources/policies/default-ns-blocker.yaml` **File**: `cluster-resources/policies/default-ns-blocker.yaml`

1
infra/base/kustomization.yaml
View File

@@ -22,4 +22,3 @@ resources:
- karpor - karpor
- databunker - databunker
- homepage - homepage
- vault

1
infra/base/kyverno-policies/kyverno-policies.yaml
View File

@@ -27,6 +27,7 @@ spec:
automated: automated:
prune: true prune: true
selfHeal: true selfHeal: true
allowEmpty: false
syncOptions: syncOptions:
- CreateNamespace=true - CreateNamespace=true
- Validate=true - Validate=true

4
infra/base/vault/kustomization.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- vault.yaml

49
infra/base/vault/vault.yaml
View File

@@ -1,49 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: vault
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "1"
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/part-of: security
app.kubernetes.io/managed-by: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
sources:
- repoURL: https://helm.releases.hashicorp.com
chart: vault
targetRevision: "0.32.0"
helm:
releaseName: vault
valueFiles:
- $values/infra/values/base/vault-values.yaml
- $values/infra/values/upc-dev/vault-values.yaml
- repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
targetRevision: HEAD
ref: values
destination:
server: https://kubernetes.default.svc
namespace: vault
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- Validate=true
- ServerSideApply=true
ignoreDifferences:
- group: apps
kind: StatefulSet
jsonPointers:
- /spec/volumeClaimTemplates

15
infra/overlays/upc-dev/entra-upc-dev-credentials-sealed.yaml
View File

@@ -1,15 +0,0 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: microsoft-idp-credentials
namespace: keycloak
spec:
encryptedData:
MS_IDP_CLIENT_SECRET: AgBGeloOR8LVop8yluydjc7qj4JUkb85z7B3h07i3xLPup1ojgSqtx08huv+8gvSaFoPdxOY8g23iuKeAr2b2A70paHv0ILSVRsIpxzjuao4aDRWxMHD/SFzvitvqaXD1eQUcBNRDk/1NOG0o5b9o4ddMWkNmyCYuZcmOyx18DC1kFrcWGUgJkLTr+YRZcLJ2T80obZ+y4zztYc+vNQlu11KSIALz++c9XzK2XYSdOMdFHmzadWxoCjvkJqG4W5C6AQBlYa7NSydyU6K3TnwS4VHF8w1DRNneM/IuHLMNbcL8WZjHlSS8xgXFUMhG4rkejwM6joQLx57OosTQe1/xdCOPBXq4NO8Q76RXXkoI0EYMbzfK33vr4NVh8zmBUYxhaeQySh2jYdYp7t/79UzvP7jtGYUgqIZNEBqbDKkzvXsJ4dHJnss8U8lWVgLev31ZhaTjIr3A8VKDPbJKIRZPO71/4DiCF0WKLYNKfbYJ5tsyTxivFWDY5NPNkKkgXk4QoScZ3r4bYNZjDp1rC5zCRPGf0Lt1C5Zovx1HTUjpGpAFVi7DyNmEc0uXn2sTwPARAuAj8str+RnlRNzBkpPWKdlOoDVPTSA41dSTfUVZMlQlluu4fdDgGj5sEnhEN0iIxZNRwU/2DD2AVSqG+KtdIkfH6/j0jzdFn4D3Ha6vwAsBIURK4Ird/pLuNGGCDB+LrrNGXDTTKAPFydCuRtpyoM9kFOtSZb7T7q6Vfkqa7LfgP8mdG9JGXJx
template:
metadata:
creationTimestamp: null
name: microsoft-idp-credentials
namespace: keycloak

1
infra/overlays/upc-dev/kustomization.yaml
View File

@@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- ../../base - ../../base
- entra-upc-dev-credentials-sealed.yaml
# No patches needed — base already has "upc-dev" paths # No patches needed — base already has "upc-dev" paths
# upc-dev is the default/base cluster # upc-dev is the default/base cluster

27
infra/values/base/homepage-values.yaml
View File

@@ -17,25 +17,21 @@ config:
traefik: true traefik: true
settings: settings:
title: "Platform" title: "Forte Platform"
headerStyle: clean headerStyle: clean
layout: layout:
Apps: Apps:
style: row style: row
columns: 3 columns: 4
Security: Identity:
style: row style: row
columns: 3 columns: 4
Tools:
style: row
header: false
columns: 2
DevOps: DevOps:
style: column style: row
rows: 2 columns: 4
Monitoring: Monitoring:
style: column style: row
rows: 1 columns: 4
# Top-of-page cluster overview widget # Top-of-page cluster overview widget
widgets: widgets:
@@ -54,7 +50,12 @@ config:
# In-cluster entries come from K8s service annotations. # In-cluster entries come from K8s service annotations.
# External (out-of-cluster) services are listed here statically. # External (out-of-cluster) services are listed here statically.
bookmarks: [] bookmarks: []
services: [] services:
- Apps:
- Forte Feedback:
href: https://feedback.forteapps.net
description: Fortes internal feedback app
icon: forte
resources: resources:
requests: requests:

65
infra/values/base/keycloak-values.yaml
View File

@@ -21,9 +21,9 @@ ingress:
gethomepage.dev/enabled: "true" gethomepage.dev/enabled: "true"
gethomepage.dev/name: "Keycloak" gethomepage.dev/name: "Keycloak"
gethomepage.dev/description: "Identity & access management" gethomepage.dev/description: "Identity & access management"
gethomepage.dev/group: "Security" gethomepage.dev/group: "Identity"
gethomepage.dev/icon: "keycloak" gethomepage.dev/icon: "keycloak"
gethomepage.dev/href: "https://id.forteapps.net/admin/forte-test/console/" gethomepage.dev/href: "https://id.forteapps.net"
metrics: metrics:
enabled: true enabled: true
@@ -259,7 +259,7 @@ extraDeploy:
ADMIN_PASS=$(cat /secrets/admin-password) ADMIN_PASS=$(cat /secrets/admin-password)
echo "Authenticating to Keycloak..." echo "Authenticating to Keycloak..."
TOKEN=$(curl -s -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \ TOKEN=$(curl -sf -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \
-d "client_id=admin-cli" \ -d "client_id=admin-cli" \
-d "username=${ADMIN_USER}" \ -d "username=${ADMIN_USER}" \
-d "password=${ADMIN_PASS}" \ -d "password=${ADMIN_PASS}" \
@@ -276,7 +276,7 @@ extraDeploy:
upsert_secret() { upsert_secret() {
local ns="$1" name="$2" manifest="$3" local ns="$1" name="$2" manifest="$3"
local code local code
code=$(curl -s -o /dev/null -w "%{http_code}" \ code=$(curl -sf -o /dev/null -w "%{http_code}" \
--cacert "$CA_CERT" \ --cacert "$CA_CERT" \
-H "Authorization: Bearer ${SA_TOKEN}" \ -H "Authorization: Bearer ${SA_TOKEN}" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
@@ -285,7 +285,7 @@ extraDeploy:
if [ "$code" = "200" ]; then if [ "$code" = "200" ]; then
echo " Updated secret '${ns}/${name}'" echo " Updated secret '${ns}/${name}'"
elif [ "$code" = "404" ]; then elif [ "$code" = "404" ]; then
code=$(curl -s -o /dev/null -w "%{http_code}" \ code=$(curl -sf -o /dev/null -w "%{http_code}" \
--cacert "$CA_CERT" \ --cacert "$CA_CERT" \
-H "Authorization: Bearer ${SA_TOKEN}" \ -H "Authorization: Bearer ${SA_TOKEN}" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
@@ -332,7 +332,7 @@ extraDeploy:
# Get the client secret from Keycloak # Get the client secret from Keycloak
local secret_value local secret_value
secret_value=$(curl -s -H "Authorization: Bearer ${TOKEN}" \ secret_value=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${client_uuid}/client-secret" \ "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${client_uuid}/client-secret" \
| jq -r '.value') | jq -r '.value')
@@ -347,7 +347,7 @@ extraDeploy:
# Write to target namespace (if it exists) # Write to target namespace (if it exists)
local ns_status local ns_status
ns_status=$(curl -s -o /dev/null -w "%{http_code}" \ ns_status=$(curl -sf -o /dev/null -w "%{http_code}" \
--cacert "$CA_CERT" \ --cacert "$CA_CERT" \
-H "Authorization: Bearer ${SA_TOKEN}" \ -H "Authorization: Bearer ${SA_TOKEN}" \
"${K8S_API}/api/v1/namespaces/${target_ns}") "${K8S_API}/api/v1/namespaces/${target_ns}")
@@ -371,12 +371,12 @@ extraDeploy:
local ns="$1" name="$2" key="$3" value="$4" local ns="$1" name="$2" key="$3" value="$4"
local patch local patch
patch=$(printf '{"metadata":{"annotations":{"%s":"%s"}}}' "$key" "$value") patch=$(printf '{"metadata":{"annotations":{"%s":"%s"}}}' "$key" "$value")
curl -s -o /dev/null \ curl -sf -o /dev/null \
--cacert "$CA_CERT" \ --cacert "$CA_CERT" \
-H "Authorization: Bearer ${SA_TOKEN}" \ -H "Authorization: Bearer ${SA_TOKEN}" \
-H "Content-Type: application/strategic-merge-patch+json" \ -H "Content-Type: application/strategic-merge-patch+json" \
-X PATCH -d "$patch" \ -X PATCH -d "$patch" \
"${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}" || true "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}"
} }
# ============================================= # =============================================
@@ -384,7 +384,7 @@ extraDeploy:
# ============================================= # =============================================
echo "=== Legacy sync: clients with k8s.secret.sync=true ===" echo "=== Legacy sync: clients with k8s.secret.sync=true ==="
CLIENTS=$(curl -s -H "Authorization: Bearer ${TOKEN}" \ CLIENTS=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients") "${KEYCLOAK_URL}/admin/realms/${REALM}/clients")
SYNC_CLIENTS=$(echo "$CLIENTS" | jq -c '[.[] | select(.attributes["k8s.secret.sync"] == "true")]') SYNC_CLIENTS=$(echo "$CLIENTS" | jq -c '[.[] | select(.attributes["k8s.secret.sync"] == "true")]')
@@ -409,7 +409,7 @@ extraDeploy:
echo "" echo ""
echo "=== Self-service: config Secrets with label keycloak.forteapps.net/client-config=true ===" echo "=== Self-service: config Secrets with label keycloak.forteapps.net/client-config=true ==="
CONFIG_SECRETS=$(curl -s \ CONFIG_SECRETS=$(curl -sf \
--cacert "$CA_CERT" \ --cacert "$CA_CERT" \
-H "Authorization: Bearer ${SA_TOKEN}" \ -H "Authorization: Bearer ${SA_TOKEN}" \
"${K8S_API}/api/v1/namespaces/keycloak/secrets?labelSelector=keycloak.forteapps.net/client-config=true") "${K8S_API}/api/v1/namespaces/keycloak/secrets?labelSelector=keycloak.forteapps.net/client-config=true")
@@ -430,10 +430,6 @@ extraDeploy:
CLIENT_JSON=$(printf '%s' "$CLIENT_JSON_B64" | base64 -d) CLIENT_JSON=$(printf '%s' "$CLIENT_JSON_B64" | base64 -d)
CLIENT_ID=$(echo "$CLIENT_JSON" | jq -r '.clientId') CLIENT_ID=$(echo "$CLIENT_JSON" | jq -r '.clientId')
if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
echo "ERROR: Could not extract clientId from config '${CONFIG_NAME}', skipping"
continue
fi
echo "Processing self-service client '${CLIENT_ID}' from config '${CONFIG_NAME}'" echo "Processing self-service client '${CLIENT_ID}' from config '${CONFIG_NAME}'"
# Compute config hash for change detection # Compute config hash for change detection
@@ -447,7 +443,7 @@ extraDeploy:
CRED_SECRET_KEY=$(echo "$CLIENT_JSON" | jq -r '.secret.keys.clientSecret // "client-secret"') CRED_SECRET_KEY=$(echo "$CLIENT_JSON" | jq -r '.secret.keys.clientSecret // "client-secret"')
# Check if credential Secret already exists in target namespace # Check if credential Secret already exists in target namespace
CRED_EXISTS=$(curl -s -o /dev/null -w "%{http_code}" \ CRED_EXISTS=$(curl -sf -o /dev/null -w "%{http_code}" \
--cacert "$CA_CERT" \ --cacert "$CA_CERT" \
-H "Authorization: Bearer ${SA_TOKEN}" \ -H "Authorization: Bearer ${SA_TOKEN}" \
"${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}") "${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}")
@@ -470,17 +466,18 @@ extraDeploy:
publicClient: false, publicClient: false,
redirectUris: .redirectUris, redirectUris: .redirectUris,
webOrigins: .webOrigins, webOrigins: .webOrigins,
defaultClientScopes: .defaultClientScopes,
protocolMappers: (.protocolMappers // []) protocolMappers: (.protocolMappers // [])
} + if .defaultClientScopes then {defaultClientScopes: .defaultClientScopes} else {} end') }')
# Check if client already exists # Check if client already exists
EXISTING=$(curl -s -H "Authorization: Bearer ${TOKEN}" \ EXISTING=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \ "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
| jq -r '.[0].id // empty') | jq -r '.[0].id // empty')
if [ -n "$EXISTING" ]; then if [ -n "$EXISTING" ]; then
echo " Updating existing Keycloak client (uuid: ${EXISTING})" echo " Updating existing Keycloak client (uuid: ${EXISTING})"
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \ HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
-H "Authorization: Bearer ${TOKEN}" \ -H "Authorization: Bearer ${TOKEN}" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
-X PUT -d "$KC_CLIENT" \ -X PUT -d "$KC_CLIENT" \
@@ -493,7 +490,7 @@ extraDeploy:
CLIENT_UUID="$EXISTING" CLIENT_UUID="$EXISTING"
else else
echo " Creating new Keycloak client '${CLIENT_ID}'" echo " Creating new Keycloak client '${CLIENT_ID}'"
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \ HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
-H "Authorization: Bearer ${TOKEN}" \ -H "Authorization: Bearer ${TOKEN}" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
-X POST -d "$KC_CLIENT" \ -X POST -d "$KC_CLIENT" \
@@ -504,37 +501,11 @@ extraDeploy:
continue continue
fi fi
# Fetch the newly created client's UUID # Fetch the newly created client's UUID
CLIENT_UUID=$(curl -s -H "Authorization: Bearer ${TOKEN}" \ CLIENT_UUID=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \ "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
| jq -r '.[0].id') | jq -r '.[0].id')
fi fi
# Assign default client scopes (KC REST API ignores defaultClientScopes in POST/PUT body)
REQUESTED_SCOPES=$(echo "$CLIENT_JSON" | jq -r '.defaultClientScopes // [] | .[]' 2>/dev/null)
if [ -n "$REQUESTED_SCOPES" ]; then
# Fetch all realm client scopes once
ALL_SCOPES=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
"${KEYCLOAK_URL}/admin/realms/${REALM}/client-scopes")
echo "$REQUESTED_SCOPES" | while read -r SCOPE_NAME; do
[ -z "$SCOPE_NAME" ] && continue
SCOPE_ID=$(echo "$ALL_SCOPES" | jq -r --arg name "$SCOPE_NAME" '.[] | select(.name == $name) | .id // empty')
if [ -z "$SCOPE_ID" ]; then
echo " WARNING: Scope '${SCOPE_NAME}' not found in realm, skipping"
continue
fi
SC_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
-H "Authorization: Bearer ${TOKEN}" \
-X PUT \
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${CLIENT_UUID}/default-client-scopes/${SCOPE_ID}")
if [ "$SC_CODE" = "204" ] || [ "$SC_CODE" = "200" ]; then
echo " Assigned scope '${SCOPE_NAME}'"
else
echo " WARNING: Failed to assign scope '${SCOPE_NAME}' (HTTP ${SC_CODE})"
fi
done
fi
# Sync credentials to target namespace # Sync credentials to target namespace
sync_credentials "$CLIENT_ID" "$CLIENT_UUID" "$CRED_NS" "$CRED_NAME" "$CRED_ID_KEY" "$CRED_SECRET_KEY" sync_credentials "$CLIENT_ID" "$CLIENT_UUID" "$CRED_NS" "$CRED_NAME" "$CRED_ID_KEY" "$CRED_SECRET_KEY"

36
infra/values/base/vault-values.yaml
View File

@@ -1,36 +0,0 @@
# HashiCorp Vault Helm Chart Values
# Chart: hashicorp/vault v0.32.0
server:
standalone:
enabled: true
dataStorage:
enabled: true
size: 5Gi
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 250m
memory: 256Mi
ingress:
enabled: true
ingressClassName: traefik
pathType: Prefix
activeService: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
gethomepage.dev/enabled: "true"
gethomepage.dev/name: "Vault"
gethomepage.dev/description: "Secrets management"
gethomepage.dev/group: "Security"
gethomepage.dev/icon: "vault"
gethomepage.dev/href: "https://vault.forteapps.net"
ui:
enabled: true
serviceType: ClusterIP

4
infra/values/upc-dev/databunker-values.yaml
View File

@@ -5,6 +5,6 @@ ingress:
gethomepage.dev/enabled: "true" gethomepage.dev/enabled: "true"
gethomepage.dev/name: "Databunker" gethomepage.dev/name: "Databunker"
gethomepage.dev/description: "Secure Database for PII and PCI Records" gethomepage.dev/description: "Secure Database for PII and PCI Records"
gethomepage.dev/group: "Security" gethomepage.dev/group: "Identity"
gethomepage.dev/icon: "double-take" gethomepage.dev/icon: "adminer"
gethomepage.dev/href: "https://databunker.forteapps.net" gethomepage.dev/href: "https://databunker.forteapps.net"

50
infra/values/upc-dev/homepage-values.yaml
View File

@@ -13,53 +13,3 @@ ingress:
- secretName: homepage-tls - secretName: homepage-tls
hosts: hosts:
- start.forteapps.net - start.forteapps.net
config:
settings:
title: "Forte Platform"
headerStyle: clean
layout:
Apps:
style: row
columns: 2
Security:
style: row
columns: 3
Tools:
style: row
header: false
columns: 2
DevOps:
style: column
rows: 2
Monitoring:
style: column
rows: 1
# Top-of-page cluster overview widget
widgets:
- kubernetes:
cluster:
show: true
cpu: true
memory: true
showLabel: true
label: "Cluster"
nodes:
show: true
cpu: true
memory: true
showLabel: true
# In-cluster entries come from K8s service annotations.
# External (out-of-cluster) services are listed here statically.
bookmarks: []
services:
- Apps:
- Forte Benken:
href: https://benken.hackathon.forteapps.net
description: Teknisk kompetanse fra offentlige anbud
icon: forte
- Forte Feedback:
href: https://feedback.forteapps.net
description: Fortes internal feedback app
icon: forte

110
infra/values/upc-dev/keycloak-values.yaml
View File

@@ -1,112 +1,2 @@
ingress: ingress:
hostname: id.forteapps.net hostname: id.forteapps.net
extraEnvVars:
- name: KC_FEATURES
value: "token-exchange:v1,admin-fine-grained-authz:v1"
keycloakConfigCli:
enabled: true
extraEnvVars:
- name: IMPORT_VAR_SUBSTITUTION_ENABLED
value: "true"
- name: MS_IDP_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: microsoft-idp-credentials
key: MS_IDP_CLIENT_SECRET
configuration:
microsoft-idp.json: |
{
"realm": "forte",
"authenticationFlows": [
{
"alias": "auto-link-first-broker-login",
"description": "Auto-link IdP accounts to existing users by email",
"providerId": "basic-flow",
"topLevel": true,
"builtIn": false,
"authenticationExecutions": [
{
"authenticator": "idp-create-user-if-unique",
"authenticatorFlow": false,
"requirement": "ALTERNATIVE",
"priority": 10
},
{
"authenticator": "idp-auto-link",
"authenticatorFlow": false,
"requirement": "ALTERNATIVE",
"priority": 20
}
]
}
],
"identityProviders": [
{
"alias": "forte-entra",
"displayName": "Forte Entra",
"providerId": "microsoft",
"enabled": true,
"trustEmail": true,
"firstBrokerLoginFlowAlias": "auto-link-first-broker-login",
"config": {
"clientId": "7995d2b5-b798-4caf-8da6-b00b78bb34d7",
"clientSecret": "$(env:MS_IDP_CLIENT_SECRET)",
"defaultScope": "openid email profile",
"tenantId": "063afd9e-5fcb-48d2-a769-ca31b0f5b443",
"syncMode": "IMPORT"
}
},
{
"alias": "forte-entra-graph",
"displayName": "Forte Entra (Graph)",
"providerId": "microsoft",
"enabled": true,
"storeToken": true,
"trustEmail": true,
"firstBrokerLoginFlowAlias": "auto-link-first-broker-login",
"config": {
"clientId": "7995d2b5-b798-4caf-8da6-b00b78bb34d7",
"clientSecret": "$(env:MS_IDP_CLIENT_SECRET)",
"defaultScope": "openid email profile User.Read Mail.Send",
"tenantId": "063afd9e-5fcb-48d2-a769-ca31b0f5b443",
"syncMode": "IMPORT"
}
}
],
"identityProviderMappers": [
{
"name": "forte-entra-email",
"identityProviderAlias": "forte-entra",
"identityProviderMapper": "hardcoded-attribute-idp-mapper",
"config": {
"syncMode": "INHERIT",
"attribute": "emailVerified",
"attribute.value": "true"
}
},
{
"name": "forte-entra-graph-email",
"identityProviderAlias": "forte-entra-graph",
"identityProviderMapper": "hardcoded-attribute-idp-mapper",
"config": {
"syncMode": "INHERIT",
"attribute": "emailVerified",
"attribute.value": "true"
}
}
],
"roles": {
"realm": [
{
"name": "default-roles-forte",
"composites": {
"client": {
"broker": ["read-token"]
}
}
}
]
}
}

9
infra/values/upc-dev/vault-values.yaml
View File

@@ -1,9 +0,0 @@
server:
ingress:
hosts:
- host: vault.forteapps.net
paths: []
tls:
- secretName: vault-tls
hosts:
- vault.forteapps.net