Backstage instance doesn't spin-up

[yusakh]

Template "pe-course-cnoe" has an issue which doesn't allow it to start Backstage instance.
Top level issue: argocd application "backstage" https://cnoe.localtest.me:8443/argocd/applications/argocd/backstage fails with few related objects creations failed:
Deployment 'backstage' : Resource not found in cluster: apps/v1/Deployment:backstage
StatefulSet 'postgresql' : Resource not found in cluster: apps/v1/StatefulSet:postgresql
Externalsecret 'backstage-oidc': error retrieving secret at .data[0], key: keycloak-clients, err: secrets "keycloak-clients" not found

Main problem is that "keycloak-clients" secret is not created with following errors in log:

• BACKSTAGE_CLIENT_SECRET=******
  ++ ./kubectl -n argocd get secret argocd-initial-admin-secret -o 'go-template={{.data.password | base64decode }}'
  ./kubectl: line 1: syntax error near unexpected token <'
  ./kubectl: line 1: NoSuchKeyThe specified key does not exist.
  Details

  No such object: 767373bbdcb8270361b96548387bf2a9ad0d48758c35/release/v1.28.3//bin/linux/amd64/kubectl
  '
• ARGOCD_PASSWORD=

Likely it's due to double-slash in command ("...v1.28.3//bin...").

Short summary:

• Root cause — the Keycloak config job had a double-slash typo in the kubectl download URL (v1.28.3//bin/linux/amd64/kubectl), causing it to download an XML error page instead of the binary
• Consequence — kubectl never worked inside the job, so the keycloak-clients secret was never created, blocking both Backstage and Argo Workflows via their ExternalSecret resources
• Workaround — manually extracted the Keycloak client secrets and ArgoCD session token, created the secret by hand, then force-triggered the ExternalSecret reconciliation with the annotation trick