feat(auth): support service to service backend auth

Signed-off-by: Tomas Coufal <tcoufal@redhat.com>
janus-idp · Nov 6, 2023 · 5d784eb · 5d784eb
1 parent e845904
commit 5d784eb
Show file tree

Hide file tree

Showing 7 changed files with 114 additions and 2 deletions.
diff --git a/charts/backstage/Chart.yaml b/charts/backstage/Chart.yaml
@@ -41,4 +41,4 @@ sources:
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.9.0
+version: 2.10.0
diff --git a/charts/backstage/README.md b/charts/backstage/README.md
@@ -2,7 +2,7 @@
 # Janus-IDP Backstage Helm Chart
 
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/janus-idp&style=flat-square)](https://artifacthub.io/packages/search?repo=janus-idp)
-![Version: 2.9.0](https://img.shields.io/badge/Version-2.9.0-informational?style=flat-square)
+![Version: 2.10.0](https://img.shields.io/badge/Version-2.10.0-informational?style=flat-square)
 ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 A Helm chart for deploying a Backstage application
@@ -128,6 +128,11 @@ Kubernetes: `>= 1.19.0-0`
 
 | Key | Description | Type | Default |
 |-----|-------------|------|---------|
+| global.auth | Enable service authentication within Backstage instance | object | `{"backend":{"enabled":true,"existingSecret":"","value":""}}` |
+| global.auth.backend | Backend service to service authentication <br /> Ref: https://backstage.io/docs/auth/service-to-service-auth/ | object | `{"enabled":true,"existingSecret":"","value":""}` |
+| global.auth.backend.enabled | Enable backend service to service authentication, unless configured otherwise it generates a secret value | bool | `true` |
+| global.auth.backend.existingSecret | Instead of generating a secret value, refer to existing secret | string | `""` |
+| global.auth.backend.value | Instead of generating a secret value, use fo;lowing value | string | `""` |
 | global.clusterRouterBase | Shorthand for users who do not want to specify a custom HOSTNAME. Used ONLY with the DEFAULT upstream.backstage.appConfig value and with OCP Route enabled. | string | `"apps.example.com"` |
 | global.dynamic.includes | Array of YAML files listing dynamic plugins to include with those listed in the `plugins` field. Relative paths are resolved from the working directory of the initContainer that will install the plugins (`/opt/app-root/src`). | list | `["dynamic-plugins.default.yaml"]` |
 | global.dynamic.includes[0] | List of dynamic plugins included inside the `janus-idp/backstage-showcase` container image, some of which are disabled by default. This file ONLY works with the `janus-idp/backstage-showcase` container image. | string | `"dynamic-plugins.default.yaml"` |

diff --git a/charts/backstage/templates/_helpers.tpl b/charts/backstage/templates/_helpers.tpl
@@ -10,3 +10,14 @@ Returns custom hostname
         {{ fail "Unable to generate hostname" }}
     {{- end -}}
 {{- end -}}
+
+{{/*
+Returns a secret name for service to service auth
+*/}}
+{{- define "janus-idp.backend-secret-name" -}}
+    {{- if .Values.global.auth.backend.existingSecret -}}
+        {{- .Values.global.auth.backend.existingSecret -}}
+    {{- else -}}
+        {{- include "common.names.fullname" . -}}-auth
+    {{- end -}}
+{{- end -}}
diff --git a/charts/backstage/templates/secrets.yaml b/charts/backstage/templates/secrets.yaml
@@ -0,0 +1,19 @@
+{{- if and (not .Values.global.auth.backend.existingSecret) .Values.global.auth.backend.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "common.names.fullname" . }}-auth
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    app.kubernetes.io/component: backstage
+    {{- if .Values.upstream.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.upstream.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- if .Values.upstream.commonAnnotations }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.upstream.commonAnnotations "context" $ ) | nindent 4 }}
+    {{- end }}
+type: Opaque
+data:
+  backend-secret: {{ (ternary  (randAlphaNum 24 ) .Values.global.auth.backend.value (empty .Values.global.auth.backend.value)) | b64enc | quote }}
+{{- end }}
diff --git a/charts/backstage/values.schema.json b/charts/backstage/values.schema.json
@@ -3,6 +3,35 @@
     "properties": {
         "global": {
             "properties": {
+                "auth": {
+                    "additionalProperties": false,
+                    "properties": {
+                        "backend": {
+                            "additionalProperties": false,
+                            "properties": {
+                                "enabled": {
+                                    "default": true,
+                                    "title": "Enable backend service to service authentication, unless configured otherwise it generates a secret value",
+                                    "type": "boolean"
+                                },
+                                "existingSecret": {
+                                    "default": "",
+                                    "title": "Instead of generating a secret value, refer to existing secret",
+                                    "type": "string"
+                                },
+                                "value": {
+                                    "default": "",
+                                    "title": "Instead of generating a secret value, use fo;lowing value",
+                                    "type": "string"
+                                }
+                            },
+                            "title": "Backend service to service authentication",
+                            "type": "object"
+                        }
+                    },
+                    "title": "Enable service authentication within Backstage instance",
+                    "type": "object"
+                },
                 "clusterRouterBase": {
                     "default": "apps.example.com",
                     "title": "Shorthand for users who do not want to specify a custom HOSTNAME. Used ONLY with the DEFAULT upstream.backstage.appConfig value and with OCP Route enabled.",

diff --git a/charts/backstage/values.schema.tmpl.json b/charts/backstage/values.schema.tmpl.json
@@ -67,6 +67,35 @@
                             "default": []
                         }
                     }
+                },
+                "auth": {
+                    "title": "Enable service authentication within Backstage instance",
+                    "type": "object",
+                    "additionalProperties": false,
+                    "properties": {
+                        "backend": {
+                            "title": "Backend service to service authentication",
+                            "type": "object",
+                            "additionalProperties": false,
+                            "properties": {
+                                "enabled": {
+                                    "title": "Enable backend service to service authentication, unless configured otherwise it generates a secret value",
+                                    "type": "boolean",
+                                    "default": true
+                                },
+                                "existingSecret": {
+                                    "title": "Instead of generating a secret value, refer to existing secret",
+                                    "type": "string",
+                                    "default": ""
+                                },
+                                "value": {
+                                    "title": "Instead of generating a secret value, use fo;lowing value",
+                                    "type": "string",
+                                    "default": ""
+                                }
+                            }
+                        }
+                    }
                 }
             }
         },

diff --git a/charts/backstage/values.yaml b/charts/backstage/values.yaml
@@ -17,6 +17,17 @@ global:
   clusterRouterBase: apps.example.com
   # -- Custom hostname shorthand, overrides `global.clusterRouterBase`, `upstream.ingress.host`, `route.host`, and url values in `upstream.backstage.appConfig`
   host: ""
+  # -- Enable service authentication within Backstage instance
+  auth:
+    # -- Backend service to service authentication
+    # <br /> Ref: https://backstage.io/docs/auth/service-to-service-auth/
+    backend:
+      # -- Enable backend service to service authentication, unless configured otherwise it generates a secret value
+      enabled: true
+      # -- Instead of generating a secret value, refer to existing secret
+      existingSecret: ""
+      # -- Instead of generating a secret value, use fo;lowing value
+      value: ""
 
 # -- Upstream Backstage [chart configuration](https://github.com/backstage/charts/blob/main/charts/backstage/values.yaml)
 # @default -- Use Openshift compatible settings
@@ -47,6 +58,9 @@ upstream:
           connection:
             password: ${POSTGRESQL_ADMIN_PASSWORD}
             user: postgres
+        auth:
+          keys:
+            - secret: ${BACKEND_SECRET}
     readinessProbe:
       failureThreshold: 3
       httpGet:
@@ -68,6 +82,11 @@ upstream:
       successThreshold: 1
       timeoutSeconds: 2
     extraEnvVars:
+      - name: BACKEND_SECRET
+        valueFrom:
+          secretKeyRef:
+            key: backend-secret
+            name: '{{ include "janus-idp.backend-secret-name" $ }}'
       - name: POSTGRESQL_ADMIN_PASSWORD
         valueFrom:
           secretKeyRef: