From 9c635b576139e3dbfeae380b94cc5ec37d1d8274 Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Fri, 14 Feb 2025 05:54:15 +0100
Subject: [PATCH 01/29] Update values-kind-security.yaml

---
 platform-apps/target-chart/values-kind-security.yaml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/platform-apps/target-chart/values-kind-security.yaml b/platform-apps/target-chart/values-kind-security.yaml
index 53dc287a..bb90b167 100644
--- a/platform-apps/target-chart/values-kind-security.yaml
+++ b/platform-apps/target-chart/values-kind-security.yaml
@@ -34,7 +34,13 @@ applications:
   - name: vault
     annotations:
       argocd.argoproj.io/sync-wave: "-5"
-      
+
+  - name: velero
+
+  - name: velero-ui
+
+  - name: minio
+  
   - name: falco
     annotations:
       argocd.argoproj.io/compare-options: ServerSideDiff=true

From 8f55e0134258401b3b6745b4fc56cf1e14017dd1 Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Sun, 16 Feb 2025 17:41:51 +0100
Subject: [PATCH 02/29] feat: add crossplane resource health checks

according to https://docs.crossplane.io/latest/guides/crossplane-with-argo-cd/
---
 platform-apps/charts/argocd/values-k3d.yaml | 133 ++++++++++++++++++++
 1 file changed, 133 insertions(+)

diff --git a/platform-apps/charts/argocd/values-k3d.yaml b/platform-apps/charts/argocd/values-k3d.yaml
index 27f57fe1..7c8ddb92 100644
--- a/platform-apps/charts/argocd/values-k3d.yaml
+++ b/platform-apps/charts/argocd/values-k3d.yaml
@@ -32,6 +32,139 @@ argo-cd:
             end
             return hs
 
+      "*.upbound.io/*":
+        health.lua: |
+          health_status = {
+            status = "Progressing",
+            message = "Provisioning ..."
+          }
+
+          local function contains (table, val)
+            for i, v in ipairs(table) do
+              if v == val then
+                return true
+              end
+            end
+            return false
+          end
+
+          local has_no_status = {
+            "ProviderConfig",
+            "ProviderConfigUsage"
+          }
+
+          if obj.status == nil or next(obj.status) == nil and contains(has_no_status, obj.kind) then
+            health_status.status = "Healthy"
+            health_status.message = "Resource is up-to-date."
+            return health_status
+          end
+
+          if obj.status == nil or next(obj.status) == nil or obj.status.conditions == nil then
+            if obj.kind == "ProviderConfig" and obj.status.users ~= nil then
+              health_status.status = "Healthy"
+              health_status.message = "Resource is in use."
+              return health_status
+            end
+            return health_status
+          end
+
+          for i, condition in ipairs(obj.status.conditions) do
+            if condition.type == "LastAsyncOperation" then
+              if condition.status == "False" then
+                health_status.status = "Degraded"
+                health_status.message = condition.message
+                return health_status
+              end
+            end
+
+            if condition.type == "Synced" then
+              if condition.status == "False" then
+                health_status.status = "Degraded"
+                health_status.message = condition.message
+                return health_status
+              end
+            end
+
+            if condition.type == "Ready" then
+              if condition.status == "True" then
+                health_status.status = "Healthy"
+                health_status.message = "Resource is up-to-date."
+                return health_status
+              end
+            end
+          end
+
+          return health_status
+
+      "*.crossplane.io/*":
+        health.lua: |
+          health_status = {
+            status = "Progressing",
+            message = "Provisioning ..."
+          }
+
+          local function contains (table, val)
+            for i, v in ipairs(table) do
+              if v == val then
+                return true
+              end
+            end
+            return false
+          end
+
+          local has_no_status = {
+            "Composition",
+            "CompositionRevision",
+            "DeploymentRuntimeConfig",
+            "ControllerConfig",
+            "ProviderConfig",
+            "ProviderConfigUsage"
+          }
+          if obj.status == nil or next(obj.status) == nil and contains(has_no_status, obj.kind) then
+            health_status.status = "Healthy"
+            health_status.message = "Resource is up-to-date."
+            return health_status
+          end
+
+          if obj.status == nil or next(obj.status) == nil or obj.status.conditions == nil then
+            if obj.kind == "ProviderConfig" and obj.status.users ~= nil then
+              health_status.status = "Healthy"
+              health_status.message = "Resource is in use."
+              return health_status
+            end
+            return health_status
+          end
+
+          for i, condition in ipairs(obj.status.conditions) do
+            if condition.type == "LastAsyncOperation" then
+              if condition.status == "False" then
+                health_status.status = "Degraded"
+                health_status.message = condition.message
+                return health_status
+              end
+            end
+
+            if condition.type == "Synced" then
+              if condition.status == "False" then
+                health_status.status = "Degraded"
+                health_status.message = condition.message
+                return health_status
+              end
+            end
+
+            if contains({"Ready", "Healthy", "Offered", "Established"}, condition.type) then
+              if condition.status == "True" then
+                health_status.status = "Healthy"
+                health_status.message = "Resource is up-to-date."
+                return health_status
+              end
+            end
+          end
+
+          return health_status 
+
+        
+
     rbac:
       policy.csv: |
         p, backstage, applications, get, */*, allow

From fb8df46db864d1b7415472bd9e19a0906ccffe81 Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Sun, 16 Feb 2025 18:13:18 +0100
Subject: [PATCH 03/29] fix indent

---
 platform-apps/charts/argocd/values-k3d.yaml | 192 ++++++++++----------
 1 file changed, 96 insertions(+), 96 deletions(-)

diff --git a/platform-apps/charts/argocd/values-k3d.yaml b/platform-apps/charts/argocd/values-k3d.yaml
index 7c8ddb92..a86a1160 100644
--- a/platform-apps/charts/argocd/values-k3d.yaml
+++ b/platform-apps/charts/argocd/values-k3d.yaml
@@ -32,136 +32,136 @@ argo-cd:
             end
             return hs
 
-      "*.upbound.io/*":
-        health.lua: |
-          health_status = {
-            status = "Progressing",
-            message = "Provisioning ..."
-          }
-
-          local function contains (table, val)
-            for i, v in ipairs(table) do
-              if v == val then
-                return true
+        "*.upbound.io/*":
+          health.lua: |
+            health_status = {
+              status = "Progressing",
+              message = "Provisioning ..."
+            }
+
+            local function contains (table, val)
+              for i, v in ipairs(table) do
+                if v == val then
+                  return true
+                end
               end
+              return false
             end
-            return false
-          end
 
-          local has_no_status = {
-            "ProviderConfig",
-            "ProviderConfigUsage"
-          }
+            local has_no_status = {
+              "ProviderConfig",
+              "ProviderConfigUsage"
+            }
 
-          if obj.status == nil or next(obj.status) == nil and contains(has_no_status, obj.kind) then
-            health_status.status = "Healthy"
-            health_status.message = "Resource is up-to-date."
-            return health_status
-          end
-
-          if obj.status == nil or next(obj.status) == nil or obj.status.conditions == nil then
-            if obj.kind == "ProviderConfig" and obj.status.users ~= nil then
+            if obj.status == nil or next(obj.status) == nil and contains(has_no_status, obj.kind) then
               health_status.status = "Healthy"
-              health_status.message = "Resource is in use."
+              health_status.message = "Resource is up-to-date."
               return health_status
             end
-            return health_status
-          end
 
-          for i, condition in ipairs(obj.status.conditions) do
-            if condition.type == "LastAsyncOperation" then
-              if condition.status == "False" then
-                health_status.status = "Degraded"
-                health_status.message = condition.message
+            if obj.status == nil or next(obj.status) == nil or obj.status.conditions == nil then
+              if obj.kind == "ProviderConfig" and obj.status.users ~= nil then
+                health_status.status = "Healthy"
+                health_status.message = "Resource is in use."
                 return health_status
               end
+              return health_status
             end
 
-            if condition.type == "Synced" then
-              if condition.status == "False" then
-                health_status.status = "Degraded"
-                health_status.message = condition.message
-                return health_status
+            for i, condition in ipairs(obj.status.conditions) do
+              if condition.type == "LastAsyncOperation" then
+                if condition.status == "False" then
+                  health_status.status = "Degraded"
+                  health_status.message = condition.message
+                  return health_status
+                end
               end
-            end
 
-            if condition.type == "Ready" then
-              if condition.status == "True" then
-                health_status.status = "Healthy"
-                health_status.message = "Resource is up-to-date."
-                return health_status
+              if condition.type == "Synced" then
+                if condition.status == "False" then
+                  health_status.status = "Degraded"
+                  health_status.message = condition.message
+                  return health_status
+                end
               end
-            end
-          end
 
-          return health_status
+              if condition.type == "Ready" then
+                if condition.status == "True" then
+                  health_status.status = "Healthy"
+                  health_status.message = "Resource is up-to-date."
+                  return health_status
+                end
+              end
+            end
 
-      "*.crossplane.io/*":
-        health.lua: |
-          health_status = {
-            status = "Progressing",
-            message = "Provisioning ..."
-          }
+            return health_status
 
-          local function contains (table, val)
-            for i, v in ipairs(table) do
-              if v == val then
-                return true
+        "*.crossplane.io/*":
+          health.lua: |
+            health_status = {
+              status = "Progressing",
+              message = "Provisioning ..."
+            }
+
+            local function contains (table, val)
+              for i, v in ipairs(table) do
+                if v == val then
+                  return true
+                end
               end
+              return false
             end
-            return false
-          end
-
-          local has_no_status = {
-            "Composition",
-            "CompositionRevision",
-            "DeploymentRuntimeConfig",
-            "ControllerConfig",
-            "ProviderConfig",
-            "ProviderConfigUsage"
-          }
-          if obj.status == nil or next(obj.status) == nil and contains(has_no_status, obj.kind) then
-            health_status.status = "Healthy"
-            health_status.message = "Resource is up-to-date."
-            return health_status
-          end
 
-          if obj.status == nil or next(obj.status) == nil or obj.status.conditions == nil then
-            if obj.kind == "ProviderConfig" and obj.status.users ~= nil then
+            local has_no_status = {
+              "Composition",
+              "CompositionRevision",
+              "DeploymentRuntimeConfig",
+              "ControllerConfig",
+              "ProviderConfig",
+              "ProviderConfigUsage"
+            }
+            if obj.status == nil or next(obj.status) == nil and contains(has_no_status, obj.kind) then
               health_status.status = "Healthy"
-              health_status.message = "Resource is in use."
+              health_status.message = "Resource is up-to-date."
               return health_status
             end
-            return health_status
-          end
 
-          for i, condition in ipairs(obj.status.conditions) do
-            if condition.type == "LastAsyncOperation" then
-              if condition.status == "False" then
-                health_status.status = "Degraded"
-                health_status.message = condition.message
+            if obj.status == nil or next(obj.status) == nil or obj.status.conditions == nil then
+              if obj.kind == "ProviderConfig" and obj.status.users ~= nil then
+                health_status.status = "Healthy"
+                health_status.message = "Resource is in use."
                 return health_status
               end
+              return health_status
             end
 
-            if condition.type == "Synced" then
-              if condition.status == "False" then
-                health_status.status = "Degraded"
-                health_status.message = condition.message
-                return health_status
+            for i, condition in ipairs(obj.status.conditions) do
+              if condition.type == "LastAsyncOperation" then
+                if condition.status == "False" then
+                  health_status.status = "Degraded"
+                  health_status.message = condition.message
+                  return health_status
+                end
               end
-            end
 
-            if contains({"Ready", "Healthy", "Offered", "Established"}, condition.type) then
-              if condition.status == "True" then
-                health_status.status = "Healthy"
-                health_status.message = "Resource is up-to-date."
-                return health_status
+              if condition.type == "Synced" then
+                if condition.status == "False" then
+                  health_status.status = "Degraded"
+                  health_status.message = condition.message
+                  return health_status
+                end
+              end
+
+              if contains({"Ready", "Healthy", "Offered", "Established"}, condition.type) then
+                if condition.status == "True" then
+                  health_status.status = "Healthy"
+                  health_status.message = "Resource is up-to-date."
+                  return health_status
+                end
               end
             end
-          end
 
-          return health_status 
+            return health_status 
 
         
 

From e7b730ff39b346167d1e21d0cd0d9a42549412ca Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Sun, 16 Feb 2025 23:23:19 +0100
Subject: [PATCH 04/29] fix: keycloak-builtin-objects-kubrix expects this
 secret

---
 .../charts/keycloak/templates/cp-keycloak-cp-secret.yaml       | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-cp-secret.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-cp-secret.yaml
index ad02c7b4..e8aab116 100644
--- a/platform-apps/charts/keycloak/templates/cp-keycloak-cp-secret.yaml
+++ b/platform-apps/charts/keycloak/templates/cp-keycloak-cp-secret.yaml
@@ -5,6 +5,9 @@ metadata:
   namespace: crossplane
   labels:
     type: provider-credentials
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/sync-wave: "-1"
 type: Opaque
 stringData:
   credentials: |

From cad4e2fb055bab24b7f5863dbdc9204dea3e5b67 Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Sun, 16 Feb 2025 23:52:36 +0100
Subject: [PATCH 05/29] fix: XR needs keycloak service and deployment

---
 platform-apps/charts/keycloak/templates/xr.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/platform-apps/charts/keycloak/templates/xr.yaml b/platform-apps/charts/keycloak/templates/xr.yaml
index 8dc49a30..c0ffba28 100644
--- a/platform-apps/charts/keycloak/templates/xr.yaml
+++ b/platform-apps/charts/keycloak/templates/xr.yaml
@@ -29,7 +29,6 @@ metadata:
   name: keycloak-builtin-objects-{{ .Values.deployments.keycloak.realm.realmid }}
   annotations:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/sync-wave: "-1"
 spec:
   providerConfigName: sx-keycloak-config
   providerSecretName: keycloak-credentials-cp

From 39095b4666136a48452e1ff0de0a0f58c7acf79f Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Mon, 17 Feb 2025 00:22:36 +0100
Subject: [PATCH 06/29] fix: keycloak-builtin-objects-kubrix needs realm

---
 platform-apps/charts/keycloak/templates/cp-keycloak-realm.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-realm.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-realm.yaml
index 6e01d17f..61e337fd 100644
--- a/platform-apps/charts/keycloak/templates/cp-keycloak-realm.yaml
+++ b/platform-apps/charts/keycloak/templates/cp-keycloak-realm.yaml
@@ -8,7 +8,6 @@ metadata:
   annotations:
     link.argocd.argoproj.io/external-link: https://{{ .Values.deployments.ingress.host }}/admin/master/console/#/{{ .Values.deployments.keycloak.realm.realmid }}
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/sync-wave: "1"
 spec:
   forProvider:
     realm: {{ .Values.deployments.keycloak.realm.realmid }}

From ce39668eab2446b3b746aa9cf720304a7321bcc0 Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Fri, 21 Feb 2025 21:29:04 +0100
Subject: [PATCH 07/29] create roles dynamically based on the values

Signed-off-by: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
---
 .../cp-keycloak-grafana-group-roles.yaml      | 84 ++-----------------
 .../keycloak/values-demo-metalstack.yaml      | 10 ++-
 platform-apps/charts/keycloak/values-k3d.yaml |  6 ++
 3 files changed, 23 insertions(+), 77 deletions(-)

diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-group-roles.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-group-roles.yaml
index 49b39d0e..f2c85e5c 100644
--- a/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-group-roles.yaml
+++ b/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-group-roles.yaml
@@ -1,79 +1,10 @@
-apiVersion: group.keycloak.crossplane.io/v1alpha1
-kind: Roles
-metadata:
-  name: {{ .Values.deployments.keycloak.grafanaclient.config.clientID }}-grafana-group-roles
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/sync-wave: "1"
-spec:
-  deletionPolicy: Delete
-  forProvider:
-    exhaustive: false
-    groupIdRef:
-      name: admins
-    realmIdRef: 
-      name: {{ .Values.deployments.keycloak.realm.realmid }}
-    roleIdsSelector:
-      matchLabels:
-        platform-engineer.cloud/role: admin
-  initProvider: {}
-  managementPolicies:
-    - '*'
-  providerConfigRef:
-    name: sx-keycloak-config
----
-apiVersion: group.keycloak.crossplane.io/v1alpha1
-kind: Roles
-metadata:
-  name: {{ .Values.deployments.keycloak.grafanaclient.config.clientID }}-grafana-group-roles-viewer
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/sync-wave: "1"
-spec:
-  deletionPolicy: Delete
-  forProvider:
-    exhaustive: false
-    groupIdRef:
-      name: users
-    realmIdRef: 
-      name: {{ .Values.deployments.keycloak.realm.realmid }}
-    roleIdsSelector:
-      matchLabels:
-        platform-engineer.cloud/role: editor
-  initProvider: {}
-  managementPolicies:
-    - '*'
-  providerConfigRef:
-    name: sx-keycloak-config
----
-apiVersion: group.keycloak.crossplane.io/v1alpha1
-kind: Roles
-metadata:
-  name: {{ .Values.deployments.keycloak.grafanaclient.config.clientID }}-grafana-group-roles-viewer-team1
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/sync-wave: "1"
-spec:
-  deletionPolicy: Delete
-  forProvider:
-    exhaustive: false
-    groupIdRef:
-      name: team1
-    realmIdRef: 
-      name: {{ .Values.deployments.keycloak.realm.realmid }}
-    roleIdsSelector:
-      matchLabels:
-        platform-engineer.cloud/role: viewer
-  initProvider: {}
-  managementPolicies:
-    - '*'
-  providerConfigRef:
-    name: sx-keycloak-config
+{{- range $group := .Values.deployments.keycloak.realm.groups }}
+{{- range $role := $group.roles }}
 ---
 apiVersion: group.keycloak.crossplane.io/v1alpha1
 kind: Roles
 metadata:
-  name: {{ .Values.deployments.keycloak.grafanaclient.config.clientID }}-grafana-group-roles-viewer-team-a
+  name: {{ $.Values.deployments.keycloak.grafanaclient.config.clientID }}-group-roles-{{ $group.name }}-{{ $role }}
   annotations:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
     argocd.argoproj.io/sync-wave: "1"
@@ -82,15 +13,16 @@ spec:
   forProvider:
     exhaustive: false
     groupIdRef:
-      name: team-a
+      name: {{ $group.name }}
     realmIdRef: 
-      name: {{ .Values.deployments.keycloak.realm.realmid }}
+      name: {{ $.Values.deployments.keycloak.realm.realmid }}
     roleIdsSelector:
       matchLabels:
-        platform-engineer.cloud/role: viewer
+        platform-engineer.cloud/role: {{ $role }}
   initProvider: {}
   managementPolicies:
     - '*'
   providerConfigRef:
     name: sx-keycloak-config
----
\ No newline at end of file
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/platform-apps/charts/keycloak/values-demo-metalstack.yaml b/platform-apps/charts/keycloak/values-demo-metalstack.yaml
index 975a6eb4..8ef58b93 100644
--- a/platform-apps/charts/keycloak/values-demo-metalstack.yaml
+++ b/platform-apps/charts/keycloak/values-demo-metalstack.yaml
@@ -84,19 +84,27 @@ deployments:
           password: "test"
       groups:
         - name: admins
-          mfa: false # valid if .keycloak.mfa.enabled is true, disable for admin 
+          roles:
+            - admin
+          mfa: false # valid if .keycloak.mfa.enabled is true, disable for admin
           members:
             - backstageadmin
             - demoadmin
         - name: team1
+          roles:
+            - viewer
           mfa: true # valid if .keycloak.mfa.enabled is true 
           members:
             - team1user
         - name: team-a
+          roles:
+            - viewer
           mfa: false # valid if .keycloak.mfa.enabled is true 
           members:
             - team-auser
         - name: users
+          roles:
+            - editor
           mfa: false # valid if .keycloak.mfa.enabled is true 
           members: 
             - phac
diff --git a/platform-apps/charts/keycloak/values-k3d.yaml b/platform-apps/charts/keycloak/values-k3d.yaml
index f62b076b..76af31a8 100644
--- a/platform-apps/charts/keycloak/values-k3d.yaml
+++ b/platform-apps/charts/keycloak/values-k3d.yaml
@@ -74,13 +74,19 @@ deployments:
           password: "test"
       groups:
         - name: admins
+          roles:
+            - admin
           members:
             - backstageadmin
             - demoadmin
         - name: team1
+          roles:
+            - viewer
           members:
             - team1user
         - name: users
+          roles:
+            - editor
           members: 
             - phac
             - jokl

From 709574e32083e911faf8b287c3a1cdea0974776c Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Fri, 21 Feb 2025 20:30:45 +0000
Subject: [PATCH 08/29] updated trivy scan results

---
 trivy-reports/report-falco_falcoctl_0.10.1.md | 30 -------------------
 trivy-reports/report-falco_falcoctl_0.11.0.md |  7 +++++
 .../report-falco_falcosidekick_2.30.0.md      | 30 -------------------
 .../report-falco_falcosidekick_2.31.1.md      |  7 +++++
 4 files changed, 14 insertions(+), 60 deletions(-)
 delete mode 100644 trivy-reports/report-falco_falcoctl_0.10.1.md
 create mode 100644 trivy-reports/report-falco_falcoctl_0.11.0.md
 delete mode 100644 trivy-reports/report-falco_falcosidekick_2.30.0.md
 create mode 100644 trivy-reports/report-falco_falcosidekick_2.31.1.md

diff --git a/trivy-reports/report-falco_falcoctl_0.10.1.md b/trivy-reports/report-falco_falcoctl_0.10.1.md
deleted file mode 100644
index 3bbd91a0..00000000
--- a/trivy-reports/report-falco_falcoctl_0.10.1.md
+++ /dev/null
@@ -1,30 +0,0 @@
-
-<h3>Target <code>docker.io/falcosecurity/falcoctl:0.10.1 (wolfi 20230201)</code></h3>
-<h4>No Vulnerabilities found</h4>
-<h4>No Misconfigurations found</h4>
-<h3>Target <code>usr/bin/falcoctl</code></h3>
-<h4>Vulnerabilities (2)</h4>
-<table>
-    <tr>
-        <th>Package</th>
-        <th>ID</th>
-        <th>Severity</th>
-        <th>Installed Version</th>
-        <th>Fixed Version</th>
-    </tr>
-    <tr>
-        <td><code>golang.org/x/crypto</code></td>
-        <td>CVE-2024-45337</td>
-        <td>CRITICAL</td>
-        <td>v0.29.0</td>
-        <td>0.31.0</td>
-    </tr>
-    <tr>
-        <td><code>golang.org/x/net</code></td>
-        <td>CVE-2024-45338</td>
-        <td>HIGH</td>
-        <td>v0.31.0</td>
-        <td>0.33.0</td>
-    </tr>
-</table>
-<h4>No Misconfigurations found</h4>
diff --git a/trivy-reports/report-falco_falcoctl_0.11.0.md b/trivy-reports/report-falco_falcoctl_0.11.0.md
new file mode 100644
index 00000000..5ef2f0b8
--- /dev/null
+++ b/trivy-reports/report-falco_falcoctl_0.11.0.md
@@ -0,0 +1,7 @@
+
+<h3>Target <code>docker.io/falcosecurity/falcoctl:0.11.0 (wolfi 20230201)</code></h3>
+<h4>No Vulnerabilities found</h4>
+<h4>No Misconfigurations found</h4>
+<h3>Target <code>usr/bin/falcoctl</code></h3>
+<h4>No Vulnerabilities found</h4>
+<h4>No Misconfigurations found</h4>
diff --git a/trivy-reports/report-falco_falcosidekick_2.30.0.md b/trivy-reports/report-falco_falcosidekick_2.30.0.md
deleted file mode 100644
index e3f688d0..00000000
--- a/trivy-reports/report-falco_falcosidekick_2.30.0.md
+++ /dev/null
@@ -1,30 +0,0 @@
-
-<h3>Target <code>docker.io/falcosecurity/falcosidekick:2.30.0 (alpine 3.19.4)</code></h3>
-<h4>No Vulnerabilities found</h4>
-<h4>No Misconfigurations found</h4>
-<h3>Target <code>app/falcosidekick</code></h3>
-<h4>Vulnerabilities (2)</h4>
-<table>
-    <tr>
-        <th>Package</th>
-        <th>ID</th>
-        <th>Severity</th>
-        <th>Installed Version</th>
-        <th>Fixed Version</th>
-    </tr>
-    <tr>
-        <td><code>golang.org/x/crypto</code></td>
-        <td>CVE-2024-45337</td>
-        <td>CRITICAL</td>
-        <td>v0.29.0</td>
-        <td>0.31.0</td>
-    </tr>
-    <tr>
-        <td><code>golang.org/x/net</code></td>
-        <td>CVE-2024-45338</td>
-        <td>HIGH</td>
-        <td>v0.31.0</td>
-        <td>0.33.0</td>
-    </tr>
-</table>
-<h4>No Misconfigurations found</h4>
diff --git a/trivy-reports/report-falco_falcosidekick_2.31.1.md b/trivy-reports/report-falco_falcosidekick_2.31.1.md
new file mode 100644
index 00000000..73055516
--- /dev/null
+++ b/trivy-reports/report-falco_falcosidekick_2.31.1.md
@@ -0,0 +1,7 @@
+
+<h3>Target <code>docker.io/falcosecurity/falcosidekick:2.31.1 (alpine 3.19.6)</code></h3>
+<h4>No Vulnerabilities found</h4>
+<h4>No Misconfigurations found</h4>
+<h3>Target <code>app/falcosidekick</code></h3>
+<h4>No Vulnerabilities found</h4>
+<h4>No Misconfigurations found</h4>

From bb92a580025788f653e286ec712bc3f7779e78dd Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Fri, 21 Feb 2025 22:15:30 +0100
Subject: [PATCH 09/29] specify better labels for grafana roles

Signed-off-by: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
---
 .../cp-keycloak-default-clientroles-grafana.yaml          | 6 +++---
 platform-apps/charts/keycloak/values-demo-metalstack.yaml | 8 ++++----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientroles-grafana.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientroles-grafana.yaml
index 4fdceaea..009ab8ac 100644
--- a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientroles-grafana.yaml
+++ b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientroles-grafana.yaml
@@ -5,7 +5,7 @@ metadata:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
     argocd.argoproj.io/sync-wave: "1"
   labels:
-    platform-engineer.cloud/role: viewer
+    platform-engineer.cloud/role: grafana-viewer
   name: client-default-role-grafana-viewer
 spec:
   forProvider:
@@ -25,7 +25,7 @@ metadata:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
     argocd.argoproj.io/sync-wave: "1"
   labels:
-    platform-engineer.cloud/role: editor
+    platform-engineer.cloud/role: grafana-editor
   name: client-default-role-grafana-editor
 spec:
   forProvider:
@@ -45,7 +45,7 @@ metadata:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
     argocd.argoproj.io/sync-wave: "1"
   labels:
-    platform-engineer.cloud/role: admin
+    platform-engineer.cloud/role: grafana-admin
   name: client-default-role-grafana-admin
 spec:
   forProvider:
diff --git a/platform-apps/charts/keycloak/values-demo-metalstack.yaml b/platform-apps/charts/keycloak/values-demo-metalstack.yaml
index 8ef58b93..9ee7a9eb 100644
--- a/platform-apps/charts/keycloak/values-demo-metalstack.yaml
+++ b/platform-apps/charts/keycloak/values-demo-metalstack.yaml
@@ -85,26 +85,26 @@ deployments:
       groups:
         - name: admins
           roles:
-            - admin
+            - grafana-admin
           mfa: false # valid if .keycloak.mfa.enabled is true, disable for admin
           members:
             - backstageadmin
             - demoadmin
         - name: team1
           roles:
-            - viewer
+            - grafana-viewer
           mfa: true # valid if .keycloak.mfa.enabled is true 
           members:
             - team1user
         - name: team-a
           roles:
-            - viewer
+            - grafana-viewer
           mfa: false # valid if .keycloak.mfa.enabled is true 
           members:
             - team-auser
         - name: users
           roles:
-            - editor
+            - grafana-editor
           mfa: false # valid if .keycloak.mfa.enabled is true 
           members: 
             - phac

From 9e9685c096721f75dfa745bfe80685b56c7f4181 Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Fri, 21 Feb 2025 23:15:04 +0100
Subject: [PATCH 10/29] needs to run later, because of
 https://github.com/suxess-it/kubriX/issues/1074

Signed-off-by: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
---
 .../charts/vault/templates/crossplane/cp-authbackend-oidc.yaml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/platform-apps/charts/vault/templates/crossplane/cp-authbackend-oidc.yaml b/platform-apps/charts/vault/templates/crossplane/cp-authbackend-oidc.yaml
index ddc47c89..be37c5a0 100644
--- a/platform-apps/charts/vault/templates/crossplane/cp-authbackend-oidc.yaml
+++ b/platform-apps/charts/vault/templates/crossplane/cp-authbackend-oidc.yaml
@@ -44,7 +44,7 @@ metadata:
   name: oidc-backend-role
   annotations:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/sync-wave: "4"
+    argocd.argoproj.io/sync-wave: "7"
 spec:
   providerConfigRef:
     name: vault-crossplane-providerconfig

From fde9da5d13c43927f0d5d112361b357c5db6d0c2 Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Fri, 21 Feb 2025 23:41:46 +0100
Subject: [PATCH 11/29] forgot to fix the role names also in the values file

Signed-off-by: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
---
 platform-apps/charts/keycloak/values-k3d.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/platform-apps/charts/keycloak/values-k3d.yaml b/platform-apps/charts/keycloak/values-k3d.yaml
index 76af31a8..e646ad19 100644
--- a/platform-apps/charts/keycloak/values-k3d.yaml
+++ b/platform-apps/charts/keycloak/values-k3d.yaml
@@ -75,18 +75,18 @@ deployments:
       groups:
         - name: admins
           roles:
-            - admin
+            - grafana-admin
           members:
             - backstageadmin
             - demoadmin
         - name: team1
           roles:
-            - viewer
+            - grafana-viewer
           members:
             - team1user
         - name: users
           roles:
-            - editor
+            - grafana-editor
           members: 
             - phac
             - jokl

From ffb3b9c8f90444579ed46882e15ff28b2ea332f3 Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Sat, 22 Feb 2025 00:26:30 +0100
Subject: [PATCH 12/29] update to the same version as the chart provides. don't
 know if that helps, just a test

Signed-off-by: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
---
 platform-apps/charts/vault/values-k3d.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/platform-apps/charts/vault/values-k3d.yaml b/platform-apps/charts/vault/values-k3d.yaml
index 66fc2ddd..c62426f8 100644
--- a/platform-apps/charts/vault/values-k3d.yaml
+++ b/platform-apps/charts/vault/values-k3d.yaml
@@ -50,7 +50,7 @@ vault:
           runAsNonRoot: true
     extraContainers:
       - name: auto-initializer
-        image: hashicorp/vault:1.17.2
+        image: hashicorp/vault:1.18.1
         env: 
           - name: VAULT_ADDR
             valueFrom:
@@ -92,7 +92,7 @@ vault:
           runAsNonRoot: true
 
       - name: auto-unsealer
-        image: hashicorp/vault:1.17.2
+        image: hashicorp/vault:1.18.1
         env: 
           - name: VAULT_ADDR
             valueFrom:
@@ -137,7 +137,7 @@ vault:
           privileged: false
           runAsNonRoot: true
       - name: vault-initializer
-        image: hashicorp/vault:1.17.2
+        image: hashicorp/vault:1.18.1
         env: 
           - name: VAULT_ADDR
             valueFrom:

From c5bd95109bca3272e6cdaada988e37b9b9ca53cd Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Sat, 22 Feb 2025 19:22:05 +0100
Subject: [PATCH 13/29] add keycloak because vault needs keycloak

---
 platform-apps/target-chart/values-kind-observability.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/platform-apps/target-chart/values-kind-observability.yaml b/platform-apps/target-chart/values-kind-observability.yaml
index ed251bf1..5a43857a 100644
--- a/platform-apps/target-chart/values-kind-observability.yaml
+++ b/platform-apps/target-chart/values-kind-observability.yaml
@@ -23,6 +23,10 @@ applications:
     syncOptions:
       - ServerSideApply=true
 
+  - name: keycloak
+    annotations:
+      argocd.argoproj.io/sync-wave: "-6"
+
   - name: vault
     annotations:
       argocd.argoproj.io/sync-wave: "-5"

From 2d61c8ca621fc41033b3beef4591b27d610fb181 Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Sun, 23 Feb 2025 21:39:24 +0100
Subject: [PATCH 14/29] try with newest vault provider

---
 .../charts/vault/templates/crossplane/cp-provider.yaml          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml b/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
index 61021562..9fa8337f 100644
--- a/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
+++ b/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
@@ -6,4 +6,4 @@ metadata:
   annotations:
     argocd.argoproj.io/sync-wave: "-10"
 spec:
-  package: xpkg.upbound.io/upbound/provider-vault:v1.0.0
+  package: xpkg.upbound.io/upbound/provider-vault:v2.1.1

From a12957366c59c3379a83187bd45b7bae072a08c9 Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Mon, 24 Feb 2025 08:47:29 +0100
Subject: [PATCH 15/29] add debug deploymentruntimeconfig for vault for better
 troubleshooting

---
 .../templates/crossplane/cp-provider.yaml     | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml b/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
index 9fa8337f..e54bd24e 100644
--- a/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
+++ b/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
@@ -1,3 +1,18 @@
+apiVersion: pkg.crossplane.io/v1beta1
+kind: DeploymentRuntimeConfig
+metadata:
+  name: debug-config
+spec:
+  deploymentTemplate:
+    spec:
+      selector: {}
+      template:
+        spec:
+          containers:
+          - name: package-runtime
+            args: 
+            - --debug
+---
 # should move to crossplane ns, maybe? 
 apiVersion: pkg.crossplane.io/v1
 kind: Provider
@@ -7,3 +22,7 @@ metadata:
     argocd.argoproj.io/sync-wave: "-10"
 spec:
   package: xpkg.upbound.io/upbound/provider-vault:v2.1.1
+  runtimeConfigRef:
+    apiVersion: pkg.crossplane.io/v1beta1
+    kind: DeploymentRuntimeConfig
+    name: debug-config

From 9935fcd5461e121cd470a4ae0e10534fe981718f Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Mon, 24 Feb 2025 08:54:09 +0100
Subject: [PATCH 16/29] better issue reference

---
 platform-apps/charts/vault/values-k3d.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/platform-apps/charts/vault/values-k3d.yaml b/platform-apps/charts/vault/values-k3d.yaml
index c62426f8..d5b7cb9c 100644
--- a/platform-apps/charts/vault/values-k3d.yaml
+++ b/platform-apps/charts/vault/values-k3d.yaml
@@ -168,13 +168,13 @@ vault:
 
                 else 
 
-                # due to #405
+                # due to https://github.com/suxess-it/kubriX/issues/405
                   if [ ! $(vault read auth/oidc/config) ]; then
                     vault auth enable oidc
                     vault write auth/oidc/config oidc_discovery_url="https://keycloak-127-0-0-1.nip.io/realms/kubrix" oidc_client_id="vault" oidc_client_secret="demosecret" default_role="default" oidc_discovery_ca_pem=@/vault/userconfig/vault-ca/ca.crt
                   fi
 
-                  # workaround due to #422
+                  # workaround due to https://github.com/suxess-it/kubriX/issues/422
                   if [ ! $(vault list identity/group-alias/id) ]; then
                     echo vault admins group configured, just updating group aliases
                     vault list identity/group/name

From a3ae2cb9838975485f95ca9337a6509d38b421ca Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Mon, 24 Feb 2025 09:15:44 +0100
Subject: [PATCH 17/29] sync deploymentruntimeconfig with provider, otherwise
 provider fails to start

---
 .../charts/vault/templates/crossplane/cp-provider.yaml          | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml b/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
index e54bd24e..a8c895b6 100644
--- a/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
+++ b/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
@@ -2,6 +2,8 @@ apiVersion: pkg.crossplane.io/v1beta1
 kind: DeploymentRuntimeConfig
 metadata:
   name: debug-config
+  annotations:
+    argocd.argoproj.io/sync-wave: "-10"
 spec:
   deploymentTemplate:
     spec:

From 0963b2a86dc8f7d779d4b3512787b973c66a27ae Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Mon, 24 Feb 2025 09:52:21 +0100
Subject: [PATCH 18/29] downgrade vault provider to v1.0.0

---
 .../charts/vault/templates/crossplane/cp-provider.yaml          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml b/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
index a8c895b6..3c9f56ec 100644
--- a/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
+++ b/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
@@ -23,7 +23,7 @@ metadata:
   annotations:
     argocd.argoproj.io/sync-wave: "-10"
 spec:
-  package: xpkg.upbound.io/upbound/provider-vault:v2.1.1
+  package: xpkg.upbound.io/upbound/provider-vault:v1.0.0
   runtimeConfigRef:
     apiVersion: pkg.crossplane.io/v1beta1
     kind: DeploymentRuntimeConfig

From b8a3e5b880275cb7d28476a52d12ffe9e4b5fba6 Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Mon, 24 Feb 2025 16:23:51 +0100
Subject: [PATCH 19/29] reduce poll-interval from 10m to 1m

---
 .../charts/vault/templates/crossplane/cp-provider.yaml         | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml b/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
index 3c9f56ec..4bfce3c7 100644
--- a/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
+++ b/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
@@ -12,7 +12,8 @@ spec:
         spec:
           containers:
           - name: package-runtime
-            args: 
+            args:
+            - --poll-interval=1m
             - --debug
 ---
 # should move to crossplane ns, maybe? 

From b83b7577f146525e35c42c51f902374010447a11 Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Mon, 24 Feb 2025 16:29:06 +0100
Subject: [PATCH 20/29] seems to be poll instead of poll-interval, see
 https://github.com/upbound/provider-vault/blob/2665cf0f82ff3133f4ebe3ad206f96b8e760ffbb/cmd/provider/main.go#L55C39-L55C43

---
 .../charts/vault/templates/crossplane/cp-provider.yaml          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml b/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
index 4bfce3c7..2992fd3e 100644
--- a/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
+++ b/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
@@ -13,7 +13,7 @@ spec:
           containers:
           - name: package-runtime
             args:
-            - --poll-interval=1m
+            - --poll=1m
             - --debug
 ---
 # should move to crossplane ns, maybe? 

From 49de33bdb97f0bce9148a3b44a242ef95057f72f Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Mon, 24 Feb 2025 18:17:26 +0100
Subject: [PATCH 21/29] also restart sync when operation-phase is 'error'

---
 install-platform.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/install-platform.sh b/install-platform.sh
index c119e1bd..b94273f9 100755
--- a/install-platform.sh
+++ b/install-platform.sh
@@ -83,9 +83,9 @@ wait_until_apps_synced_healthy() {
           fi
           # terminate sync if sync is running and takes longer than 300 seconds (workaround when sync gets stuck)
           operation_phase=$(kubectl get application -n argocd ${app} -o jsonpath='{.status.operationState.phase}')
-          if [ "${operation_phase}" = "Running" ] && [ ${sync_duration} -gt 300 ] || [ "${operation_phase}" = "Failed" ] ; then
+          if [ "${operation_phase}" = "Running" ] && [ ${sync_duration} -gt 300 ] || [ "${operation_phase}" = "Failed" ] || [ "${operation_phase}" = "Error" ] ; then
             # Terminate the operation for the application
-            echo "sync of app ${app} gets terminated because it took longer than 300 seconds"
+            echo "sync of app ${app} gets terminated because it took longer than 300 seconds or failed"
             kubectl exec sx-argocd-application-controller-0 -n argocd -- argocd app terminate-op "$app" --core
             echo "wait for 10 seconds"
             sleep 10

From 46b1ed326d598ae53cdcfed9129461c72a27d8fa Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Mon, 24 Feb 2025 18:22:48 +0100
Subject: [PATCH 22/29] trigger a sync explicitly in case the bootstrap-app
 already failed to sync too many times

---
 install-platform.sh | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/install-platform.sh b/install-platform.sh
index b94273f9..f6192642 100755
--- a/install-platform.sh
+++ b/install-platform.sh
@@ -328,12 +328,16 @@ fi
 if [[ $( echo $argocd_apps | grep sx-kargo ) ]] ; then
   kubectl delete ExternalSecret github-creds -n kargo
   # check if kargo is synced and healthy for 5 minutes
+  # we trigger a new sync in case the bootstrap-app already failed 5 times
+  kubectl exec sx-argocd-application-controller-0 -n argocd -- argocd app sync "sx-kargo" --async --core
   wait_until_apps_synced_healthy "sx-kargo" "Synced" "Healthy" 300
 fi
 
 if [[ $( echo $argocd_apps | grep sx-team-onboarding ) ]] ; then
   kubectl delete ExternalSecret github-creds -n kargo
   # check if kargo is synced and healthy for 5 minutes
+  # we trigger a new sync in case the bootstrap-app already failed 5 times
+  kubectl exec sx-argocd-application-controller-0 -n argocd -- argocd app sync "sx-team-onboarding" --async --core
   wait_until_apps_synced_healthy "sx-team-onboarding" "Synced" "Healthy" 300
 fi
   
@@ -341,6 +345,8 @@ fi
 if [[ $( echo $argocd_apps | grep sx-backstage ) ]] ; then
 
   # check if backstage is already synced (it will still be degraded because of the missing secret we create in the next step)
+  # we trigger a new sync in case the bootstrap-app already failed 5 times
+  kubectl exec sx-argocd-application-controller-0 -n argocd -- argocd app sync "sx-backstage" --async --core
   wait_until_apps_synced_healthy "sx-backstage" "Synced" "*" 900
 
   echo "adding special configuration for sx-backstage"
@@ -424,6 +430,8 @@ if [[ $( echo $argocd_apps | grep sx-backstage ) ]] ; then
   fi
 
   # finally wait for all apps including backstage to be synced and health
+  # we trigger a new sync in case the bootstrap-app already failed 5 times
+  kubectl exec sx-argocd-application-controller-0 -n argocd -- argocd app sync "sx-bootstrap-app" --async --core
   wait_until_apps_synced_healthy "${argocd_apps}" "Synced" "Healthy" 300
 
 fi

From 93848640f111d71f17085c49bf0b2831d2e4db39 Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Mon, 24 Feb 2025 20:50:37 +0100
Subject: [PATCH 23/29] decrease cpu requests so observability stack can get
 tested on github

---
 platform-apps/charts/keycloak/templates/keycloak.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/platform-apps/charts/keycloak/templates/keycloak.yaml b/platform-apps/charts/keycloak/templates/keycloak.yaml
index a9a36fdd..35cff1fe 100644
--- a/platform-apps/charts/keycloak/templates/keycloak.yaml
+++ b/platform-apps/charts/keycloak/templates/keycloak.yaml
@@ -106,7 +106,7 @@ spec:
               cpu: "2"
             requests:
               memory: 1024Mi
-              cpu: "0.6"
+              cpu: "0.3"
           volumeMounts:
             - mountPath: /opt/keycloak/bin/poststart.sh
               name: keycloak-hookvolume

From 6b8049c9522da7e5eefc15243aaf37a8a72e8610 Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Mon, 24 Feb 2025 21:30:13 +0100
Subject: [PATCH 24/29] reduce cpu requests for observability stack tests in
 GitHub actions

---
 platform-apps/charts/mimir/values-k3d.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/platform-apps/charts/mimir/values-k3d.yaml b/platform-apps/charts/mimir/values-k3d.yaml
index 20e89d09..4a5c3925 100644
--- a/platform-apps/charts/mimir/values-k3d.yaml
+++ b/platform-apps/charts/mimir/values-k3d.yaml
@@ -19,7 +19,9 @@ mimir:
         memory: 6Gi
   ingester:
     resources:
+      requests:
+        cpu: 50m
       limits:
         cpu: 5
         memory: 12Gi
-  
\ No newline at end of file
+  

From ff5aa09219a885a6ad782c7f101a0a57c9ad1b07 Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Mon, 24 Feb 2025 22:09:40 +0100
Subject: [PATCH 25/29] reduce cpu requests for observability tests in GitHub
 actions

---
 platform-apps/charts/mimir/values-k3d.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/platform-apps/charts/mimir/values-k3d.yaml b/platform-apps/charts/mimir/values-k3d.yaml
index 4a5c3925..8ebac5df 100644
--- a/platform-apps/charts/mimir/values-k3d.yaml
+++ b/platform-apps/charts/mimir/values-k3d.yaml
@@ -24,4 +24,8 @@ mimir:
       limits:
         cpu: 5
         memory: 12Gi
+  store_gateway:
+    resources:
+      requests:
+        cpu: 50m
   

From 34ff158252d797437f549e763c86e949bdca5829 Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Mon, 24 Feb 2025 22:38:58 +0100
Subject: [PATCH 26/29] fix permission denied error

---
 install-platform.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install-platform.sh b/install-platform.sh
index f6192642..53a31231 100755
--- a/install-platform.sh
+++ b/install-platform.sh
@@ -346,7 +346,7 @@ if [[ $( echo $argocd_apps | grep sx-backstage ) ]] ; then
 
   # check if backstage is already synced (it will still be degraded because of the missing secret we create in the next step)
   # we trigger a new sync in case the bootstrap-app already failed 5 times
-  kubectl exec sx-argocd-application-controller-0 -n argocd -- argocd app sync "sx-backstage" --async --core
+  kubectl exec sx-argocd-application-controller-0 -n argocd -- argocd app sync sx-backstage --async --core
   wait_until_apps_synced_healthy "sx-backstage" "Synced" "*" 900
 
   echo "adding special configuration for sx-backstage"

From 5f14d57cb78dc0bc5844b4336bdef1e0e63c58d0 Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Tue, 25 Feb 2025 17:20:28 +0100
Subject: [PATCH 27/29] trigger sync for sx-bootstrap-app, because sync to
 unknown app brings permissiondenied

---
 install-platform.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install-platform.sh b/install-platform.sh
index 53a31231..e292b6dd 100755
--- a/install-platform.sh
+++ b/install-platform.sh
@@ -346,7 +346,7 @@ if [[ $( echo $argocd_apps | grep sx-backstage ) ]] ; then
 
   # check if backstage is already synced (it will still be degraded because of the missing secret we create in the next step)
   # we trigger a new sync in case the bootstrap-app already failed 5 times
-  kubectl exec sx-argocd-application-controller-0 -n argocd -- argocd app sync sx-backstage --async --core
+  kubectl exec sx-argocd-application-controller-0 -n argocd -- argocd app sync "sx-bootstrap-app" --async --core
   wait_until_apps_synced_healthy "sx-backstage" "Synced" "*" 900
 
   echo "adding special configuration for sx-backstage"

From 37bdc802525f3af216d7634185c73570e3c6b4a8 Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Wed, 26 Feb 2025 22:38:14 +0100
Subject: [PATCH 28/29] Test vault provider v2.1.1 again

---
 .../charts/vault/templates/crossplane/cp-provider.yaml          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml b/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
index 2992fd3e..21d45704 100644
--- a/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
+++ b/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
@@ -24,7 +24,7 @@ metadata:
   annotations:
     argocd.argoproj.io/sync-wave: "-10"
 spec:
-  package: xpkg.upbound.io/upbound/provider-vault:v1.0.0
+  package: xpkg.upbound.io/upbound/provider-vault:v2.1.1
   runtimeConfigRef:
     apiVersion: pkg.crossplane.io/v1beta1
     kind: DeploymentRuntimeConfig

From 40045ec33bc9c240abee693234c5b098f7d51de8 Mon Sep 17 00:00:00 2001
From: Johannes Kleinlercher <johannes.kleinlercher@suxess-it.com>
Date: Wed, 26 Feb 2025 23:22:14 +0100
Subject: [PATCH 29/29] again back to v1 because v2 failed again with known
 error

---
 .../charts/vault/templates/crossplane/cp-provider.yaml          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml b/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
index 21d45704..2992fd3e 100644
--- a/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
+++ b/platform-apps/charts/vault/templates/crossplane/cp-provider.yaml
@@ -24,7 +24,7 @@ metadata:
   annotations:
     argocd.argoproj.io/sync-wave: "-10"
 spec:
-  package: xpkg.upbound.io/upbound/provider-vault:v2.1.1
+  package: xpkg.upbound.io/upbound/provider-vault:v1.0.0
   runtimeConfigRef:
     apiVersion: pkg.crossplane.io/v1beta1
     kind: DeploymentRuntimeConfig