diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e83b49f0..2baf292d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,4 +1,4 @@ -name: Lint Charts +name: Test Charts on: pull_request: @@ -8,6 +8,7 @@ on: jobs: check-metadata: + name: Lint Metadata runs-on: ubuntu-latest env: GO111MODULE: on @@ -30,7 +31,8 @@ jobs: uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507 # renovate: tag=v3.0.0 with: extra_args: --show-diff-on-failure - test: + test-latest: + name: Test Latest Release runs-on: ubuntu-latest steps: - name: Checkout @@ -69,7 +71,43 @@ jobs: - name: Run chart-testing (latest) # test with latest stable backstage-showcase release run: ct install --config ct-install.yaml --helm-extra-set-args="--set=upstream.backstage.image.tag=latest" + test-next: + name: Test Next Release + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + with: + fetch-depth: 0 + + - name: Set up Helm + uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # renovate: tag=v3.5 + with: + version: v3.10.0 + + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4 + with: + python-version: 3.7 + + - name: Set up chart-testing + uses: helm/chart-testing-action@b43128a8b25298e1e7b043b78ea6613844e079b1 # v2.6.0 + + - name: "Add NGINX Ingress and Bitnami Repository" + run: | + helm repo add ingress-nginx "https://kubernetes.github.io/ingress-nginx" + helm repo add bitnami "https://charts.bitnami.com/bitnami" + helm repo add backstage https://backstage.github.io/charts + helm repo update + + - name: Run chart-testing (lint) + run: ct lint --config ct.yaml + + - name: Create KIND Cluster + uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 + + - name: Install Ingress Controller + run: "helm install ingress-nginx/ingress-nginx --generate-name --set controller.service.type='NodePort' --set controller.admissionWebhooks.enabled=false" - name: Run chart-testing (next) # test with the next backstage-showcase version (main branch) - run: ct install --config ct-install.yaml --helm-extra-set-args="--set=upstream.backstage.image.tag=next" \ No newline at end of file + run: ct install --config ct-install.yaml --helm-extra-set-args="--set=upstream.backstage.image.tag=next" diff --git a/charts/backstage/Chart.yaml b/charts/backstage/Chart.yaml index 50f1140a..46173ae6 100644 --- a/charts/backstage/Chart.yaml +++ b/charts/backstage/Chart.yaml @@ -41,4 +41,4 @@ sources: # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.9.0 +version: 2.10.0 diff --git a/charts/backstage/README.md b/charts/backstage/README.md index ae4c8d14..1ec41d36 100644 --- a/charts/backstage/README.md +++ b/charts/backstage/README.md @@ -2,7 +2,7 @@ # Janus-IDP Backstage Helm Chart [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/janus-idp&style=flat-square)](https://artifacthub.io/packages/search?repo=janus-idp) -![Version: 2.9.0](https://img.shields.io/badge/Version-2.9.0-informational?style=flat-square) +![Version: 2.10.0](https://img.shields.io/badge/Version-2.10.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) A Helm chart for deploying a Backstage application @@ -128,6 +128,11 @@ Kubernetes: `>= 1.19.0-0` | Key | Description | Type | Default | |-----|-------------|------|---------| +| global.auth | Enable service authentication within Backstage instance | object | `{"backend":{"enabled":true,"existingSecret":"","value":""}}` | +| global.auth.backend | Backend service to service authentication
Ref: https://backstage.io/docs/auth/service-to-service-auth/ | object | `{"enabled":true,"existingSecret":"","value":""}` | +| global.auth.backend.enabled | Enable backend service to service authentication, unless configured otherwise it generates a secret value | bool | `true` | +| global.auth.backend.existingSecret | Instead of generating a secret value, refer to existing secret | string | `""` | +| global.auth.backend.value | Instead of generating a secret value, use fo;lowing value | string | `""` | | global.clusterRouterBase | Shorthand for users who do not want to specify a custom HOSTNAME. Used ONLY with the DEFAULT upstream.backstage.appConfig value and with OCP Route enabled. | string | `"apps.example.com"` | | global.dynamic.includes | Array of YAML files listing dynamic plugins to include with those listed in the `plugins` field. Relative paths are resolved from the working directory of the initContainer that will install the plugins (`/opt/app-root/src`). | list | `["dynamic-plugins.default.yaml"]` | | global.dynamic.includes[0] | List of dynamic plugins included inside the `janus-idp/backstage-showcase` container image, some of which are disabled by default. This file ONLY works with the `janus-idp/backstage-showcase` container image. | string | `"dynamic-plugins.default.yaml"` | diff --git a/charts/backstage/ci/default-values.yaml b/charts/backstage/ci/default-values.yaml index 65f133b8..da4457ad 100644 --- a/charts/backstage/ci/default-values.yaml +++ b/charts/backstage/ci/default-values.yaml @@ -6,9 +6,3 @@ upstream: primary: persistence: enabled: false - backstage: - appConfig: - backend: - auth: - keys: - - secret: sEKIT4CwJ4MwVLzen5SFL6fJmwOPB2sl diff --git a/charts/backstage/templates/_helpers.tpl b/charts/backstage/templates/_helpers.tpl index ea6311d1..f7869893 100644 --- a/charts/backstage/templates/_helpers.tpl +++ b/charts/backstage/templates/_helpers.tpl @@ -10,3 +10,14 @@ Returns custom hostname {{ fail "Unable to generate hostname" }} {{- end -}} {{- end -}} + +{{/* +Returns a secret name for service to service auth +*/}} +{{- define "janus-idp.backend-secret-name" -}} + {{- if .Values.global.auth.backend.existingSecret -}} + {{- .Values.global.auth.backend.existingSecret -}} + {{- else -}} + {{- include "common.names.fullname" . -}}-auth + {{- end -}} +{{- end -}} diff --git a/charts/backstage/templates/secrets.yaml b/charts/backstage/templates/secrets.yaml new file mode 100644 index 00000000..66910511 --- /dev/null +++ b/charts/backstage/templates/secrets.yaml @@ -0,0 +1,19 @@ +{{- if and (not .Values.global.auth.backend.existingSecret) .Values.global.auth.backend.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }}-auth + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: backstage + {{- if .Values.upstream.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.upstream.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.upstream.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.upstream.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + backend-secret: {{ (ternary (randAlphaNum 24 ) .Values.global.auth.backend.value (empty .Values.global.auth.backend.value)) | b64enc | quote }} +{{- end }} diff --git a/charts/backstage/values.schema.json b/charts/backstage/values.schema.json index 25ccc474..89a87ecf 100644 --- a/charts/backstage/values.schema.json +++ b/charts/backstage/values.schema.json @@ -3,6 +3,35 @@ "properties": { "global": { "properties": { + "auth": { + "additionalProperties": false, + "properties": { + "backend": { + "additionalProperties": false, + "properties": { + "enabled": { + "default": true, + "title": "Enable backend service to service authentication, unless configured otherwise it generates a secret value", + "type": "boolean" + }, + "existingSecret": { + "default": "", + "title": "Instead of generating a secret value, refer to existing secret", + "type": "string" + }, + "value": { + "default": "", + "title": "Instead of generating a secret value, use fo;lowing value", + "type": "string" + } + }, + "title": "Backend service to service authentication", + "type": "object" + } + }, + "title": "Enable service authentication within Backstage instance", + "type": "object" + }, "clusterRouterBase": { "default": "apps.example.com", "title": "Shorthand for users who do not want to specify a custom HOSTNAME. Used ONLY with the DEFAULT upstream.backstage.appConfig value and with OCP Route enabled.", diff --git a/charts/backstage/values.schema.tmpl.json b/charts/backstage/values.schema.tmpl.json index b9ad0561..501955fd 100644 --- a/charts/backstage/values.schema.tmpl.json +++ b/charts/backstage/values.schema.tmpl.json @@ -67,6 +67,35 @@ "default": [] } } + }, + "auth": { + "title": "Enable service authentication within Backstage instance", + "type": "object", + "additionalProperties": false, + "properties": { + "backend": { + "title": "Backend service to service authentication", + "type": "object", + "additionalProperties": false, + "properties": { + "enabled": { + "title": "Enable backend service to service authentication, unless configured otherwise it generates a secret value", + "type": "boolean", + "default": true + }, + "existingSecret": { + "title": "Instead of generating a secret value, refer to existing secret", + "type": "string", + "default": "" + }, + "value": { + "title": "Instead of generating a secret value, use fo;lowing value", + "type": "string", + "default": "" + } + } + } + } } } }, diff --git a/charts/backstage/values.yaml b/charts/backstage/values.yaml index 692ae44e..78adb2ac 100644 --- a/charts/backstage/values.yaml +++ b/charts/backstage/values.yaml @@ -17,6 +17,17 @@ global: clusterRouterBase: apps.example.com # -- Custom hostname shorthand, overrides `global.clusterRouterBase`, `upstream.ingress.host`, `route.host`, and url values in `upstream.backstage.appConfig` host: "" + # -- Enable service authentication within Backstage instance + auth: + # -- Backend service to service authentication + #
Ref: https://backstage.io/docs/auth/service-to-service-auth/ + backend: + # -- Enable backend service to service authentication, unless configured otherwise it generates a secret value + enabled: true + # -- Instead of generating a secret value, refer to existing secret + existingSecret: "" + # -- Instead of generating a secret value, use fo;lowing value + value: "" # -- Upstream Backstage [chart configuration](https://github.com/backstage/charts/blob/main/charts/backstage/values.yaml) # @default -- Use Openshift compatible settings @@ -47,6 +58,9 @@ upstream: connection: password: ${POSTGRESQL_ADMIN_PASSWORD} user: postgres + auth: + keys: + - secret: ${BACKEND_SECRET} readinessProbe: failureThreshold: 3 httpGet: @@ -68,6 +82,11 @@ upstream: successThreshold: 1 timeoutSeconds: 2 extraEnvVars: + - name: BACKEND_SECRET + valueFrom: + secretKeyRef: + key: backend-secret + name: '{{ include "janus-idp.backend-secret-name" $ }}' - name: POSTGRESQL_ADMIN_PASSWORD valueFrom: secretKeyRef: