Skip to content
This repository has been archived by the owner on Feb 2, 2024. It is now read-only.

Commit

Permalink
feat(auth): support service to service backend auth
Browse files Browse the repository at this point in the history
Signed-off-by: Tomas Coufal <tcoufal@redhat.com>
  • Loading branch information
tumido committed Nov 6, 2023
1 parent e845904 commit 03a00c9
Show file tree
Hide file tree
Showing 9 changed files with 155 additions and 11 deletions.
44 changes: 41 additions & 3 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Lint Charts
name: Test Charts

on:
pull_request:
Expand All @@ -8,6 +8,7 @@ on:

jobs:
check-metadata:
name: Lint Metadata
runs-on: ubuntu-latest
env:
GO111MODULE: on
Expand All @@ -30,7 +31,8 @@ jobs:
uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507 # renovate: tag=v3.0.0
with:
extra_args: --show-diff-on-failure
test:
test-latest:
name: Test Latest Release
runs-on: ubuntu-latest
steps:
- name: Checkout
Expand Down Expand Up @@ -69,7 +71,43 @@ jobs:
- name: Run chart-testing (latest)
# test with latest stable backstage-showcase release
run: ct install --config ct-install.yaml --helm-extra-set-args="--set=upstream.backstage.image.tag=latest"
test-next:
name: Test Next Release
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
with:
fetch-depth: 0

- name: Set up Helm
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # renovate: tag=v3.5
with:
version: v3.10.0

- uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4
with:
python-version: 3.7

- name: Set up chart-testing
uses: helm/chart-testing-action@b43128a8b25298e1e7b043b78ea6613844e079b1 # v2.6.0

- name: "Add NGINX Ingress and Bitnami Repository"
run: |
helm repo add ingress-nginx "https://kubernetes.github.io/ingress-nginx"
helm repo add bitnami "https://charts.bitnami.com/bitnami"
helm repo add backstage https://backstage.github.io/charts
helm repo update
- name: Run chart-testing (lint)
run: ct lint --config ct.yaml

- name: Create KIND Cluster
uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0

- name: Install Ingress Controller
run: "helm install ingress-nginx/ingress-nginx --generate-name --set controller.service.type='NodePort' --set controller.admissionWebhooks.enabled=false"

- name: Run chart-testing (next)
# test with the next backstage-showcase version (main branch)
run: ct install --config ct-install.yaml --helm-extra-set-args="--set=upstream.backstage.image.tag=next"
run: ct install --config ct-install.yaml --helm-extra-set-args="--set=upstream.backstage.image.tag=next"
2 changes: 1 addition & 1 deletion charts/backstage/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -41,4 +41,4 @@ sources:
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 2.9.0
version: 2.10.0
7 changes: 6 additions & 1 deletion charts/backstage/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# Janus-IDP Backstage Helm Chart

[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/janus-idp&style=flat-square)](https://artifacthub.io/packages/search?repo=janus-idp)
![Version: 2.9.0](https://img.shields.io/badge/Version-2.9.0-informational?style=flat-square)
![Version: 2.10.0](https://img.shields.io/badge/Version-2.10.0-informational?style=flat-square)
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

A Helm chart for deploying a Backstage application
Expand Down Expand Up @@ -128,6 +128,11 @@ Kubernetes: `>= 1.19.0-0`

| Key | Description | Type | Default |
|-----|-------------|------|---------|
| global.auth | Enable service authentication within Backstage instance | object | `{"backend":{"enabled":true,"existingSecret":"","value":""}}` |
| global.auth.backend | Backend service to service authentication <br /> Ref: https://backstage.io/docs/auth/service-to-service-auth/ | object | `{"enabled":true,"existingSecret":"","value":""}` |
| global.auth.backend.enabled | Enable backend service to service authentication, unless configured otherwise it generates a secret value | bool | `true` |
| global.auth.backend.existingSecret | Instead of generating a secret value, refer to existing secret | string | `""` |
| global.auth.backend.value | Instead of generating a secret value, use fo;lowing value | string | `""` |
| global.clusterRouterBase | Shorthand for users who do not want to specify a custom HOSTNAME. Used ONLY with the DEFAULT upstream.backstage.appConfig value and with OCP Route enabled. | string | `"apps.example.com"` |
| global.dynamic.includes | Array of YAML files listing dynamic plugins to include with those listed in the `plugins` field. Relative paths are resolved from the working directory of the initContainer that will install the plugins (`/opt/app-root/src`). | list | `["dynamic-plugins.default.yaml"]` |
| global.dynamic.includes[0] | List of dynamic plugins included inside the `janus-idp/backstage-showcase` container image, some of which are disabled by default. This file ONLY works with the `janus-idp/backstage-showcase` container image. | string | `"dynamic-plugins.default.yaml"` |
Expand Down
6 changes: 0 additions & 6 deletions charts/backstage/ci/default-values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,3 @@ upstream:
primary:
persistence:
enabled: false
backstage:
appConfig:
backend:
auth:
keys:
- secret: sEKIT4CwJ4MwVLzen5SFL6fJmwOPB2sl
11 changes: 11 additions & 0 deletions charts/backstage/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,14 @@ Returns custom hostname
{{ fail "Unable to generate hostname" }}
{{- end -}}
{{- end -}}

{{/*
Returns a secret name for service to service auth
*/}}
{{- define "janus-idp.backend-secret-name" -}}
{{- if .Values.global.auth.backend.existingSecret -}}
{{- .Values.global.auth.backend.existingSecret -}}
{{- else -}}
{{- include "common.names.fullname" . -}}-auth
{{- end -}}
{{- end -}}
19 changes: 19 additions & 0 deletions charts/backstage/templates/secrets.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{{- if and (not .Values.global.auth.backend.existingSecret) .Values.global.auth.backend.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "common.names.fullname" . }}-auth
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: backstage
{{- if .Values.upstream.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.upstream.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
annotations:
{{- if .Values.upstream.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.upstream.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
backend-secret: {{ (ternary (randAlphaNum 24 ) .Values.global.auth.backend.value (empty .Values.global.auth.backend.value)) | b64enc | quote }}
{{- end }}
29 changes: 29 additions & 0 deletions charts/backstage/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,35 @@
"properties": {
"global": {
"properties": {
"auth": {
"additionalProperties": false,
"properties": {
"backend": {
"additionalProperties": false,
"properties": {
"enabled": {
"default": true,
"title": "Enable backend service to service authentication, unless configured otherwise it generates a secret value",
"type": "boolean"
},
"existingSecret": {
"default": "",
"title": "Instead of generating a secret value, refer to existing secret",
"type": "string"
},
"value": {
"default": "",
"title": "Instead of generating a secret value, use fo;lowing value",
"type": "string"
}
},
"title": "Backend service to service authentication",
"type": "object"
}
},
"title": "Enable service authentication within Backstage instance",
"type": "object"
},
"clusterRouterBase": {
"default": "apps.example.com",
"title": "Shorthand for users who do not want to specify a custom HOSTNAME. Used ONLY with the DEFAULT upstream.backstage.appConfig value and with OCP Route enabled.",
Expand Down
29 changes: 29 additions & 0 deletions charts/backstage/values.schema.tmpl.json
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,35 @@
"default": []
}
}
},
"auth": {
"title": "Enable service authentication within Backstage instance",
"type": "object",
"additionalProperties": false,
"properties": {
"backend": {
"title": "Backend service to service authentication",
"type": "object",
"additionalProperties": false,
"properties": {
"enabled": {
"title": "Enable backend service to service authentication, unless configured otherwise it generates a secret value",
"type": "boolean",
"default": true
},
"existingSecret": {
"title": "Instead of generating a secret value, refer to existing secret",
"type": "string",
"default": ""
},
"value": {
"title": "Instead of generating a secret value, use fo;lowing value",
"type": "string",
"default": ""
}
}
}
}
}
}
},
Expand Down
19 changes: 19 additions & 0 deletions charts/backstage/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,17 @@ global:
clusterRouterBase: apps.example.com
# -- Custom hostname shorthand, overrides `global.clusterRouterBase`, `upstream.ingress.host`, `route.host`, and url values in `upstream.backstage.appConfig`
host: ""
# -- Enable service authentication within Backstage instance
auth:
# -- Backend service to service authentication
# <br /> Ref: https://backstage.io/docs/auth/service-to-service-auth/
backend:
# -- Enable backend service to service authentication, unless configured otherwise it generates a secret value
enabled: true
# -- Instead of generating a secret value, refer to existing secret
existingSecret: ""
# -- Instead of generating a secret value, use fo;lowing value
value: ""

# -- Upstream Backstage [chart configuration](https://github.com/backstage/charts/blob/main/charts/backstage/values.yaml)
# @default -- Use Openshift compatible settings
Expand Down Expand Up @@ -47,6 +58,9 @@ upstream:
connection:
password: ${POSTGRESQL_ADMIN_PASSWORD}
user: postgres
auth:
keys:
- secret: ${BACKEND_SECRET}
readinessProbe:
failureThreshold: 3
httpGet:
Expand All @@ -68,6 +82,11 @@ upstream:
successThreshold: 1
timeoutSeconds: 2
extraEnvVars:
- name: BACKEND_SECRET
valueFrom:
secretKeyRef:
key: backend-secret
name: '{{ include "janus-idp.backend-secret-name" $ }}'
- name: POSTGRESQL_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
Expand Down

0 comments on commit 03a00c9

Please sign in to comment.