RHDH Infra Samples

This repository provides sample files and instructions to play with Red Hat Developer Hub(Backstage) and different types of Infrastructure integrations. it's open to contributions

Sample 1 - Authentication with Red Hat SSO(keycloak) via OIDC

The below sample will:

Create a project in OCP
Install Red Hat SSO for OIDC authentication
Create a Red Hat SSO Instance Instance,Realm and 3 Users(backstage-admin,backstage-user1,backstage-user2) with a default password of "test"
Install Red Hat Developer Hub via Helm
Give backstage-admin user the admin role, backstage-user1 the catalog-admin role and backstage-user2 is a standard user.

Requirements

OCP Cluster => 4.12
oc command line tool
Helm 3.2.0 or later is installed.
PersistentVolume provisioner support in the underlying infrastructure is available.
Tested with version 1.1.0 of openshift-helm-charts/redhat-developer-hub
yq > 4
Dependecies of the RHDH Helm Chart can change. Please review below for other dependencies.
```
helm show readme --version 1.1.0 openshift-helm-charts/redhat-developer-hub
```

Installation

Follow the steps below to install Keycloak and Red Hat Developer Hub:

Steps

Set Variables

Set Namespace to create resources In

export NAMESPACE=backstage-test

Set the Basedomain for OCP routes

export BASEDOMAIN=$(oc get ingresses.config.openshift.io/cluster -o jsonpath='{.spec.domain}')

Set a secret for SSO Client

export BACKSTAGE_CLIENT_SECRET=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)

Set an Auth Session Secret

export AUTH_SESSION_SECRET=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)

Set Keycloak Base URL

export KEYCLOAK_BASE_URL=https://keycloak-${NAMESPACE}.${BASEDOMAIN}

Set Keycloak Realm Name

export KEYCLOAK_REALM=backstage

Create deploy namespace

oc kustomize ./namespace | envsubst | oc apply -f -

Install the Red Hat SSO Operator

oc kustomize ./sso-operator/ | envsubst | oc apply -f -

Create the Red Hat SSO Instance,Realm,Client and User. This will create 3 users admin,user1,user2 all with a password set to the value "test".
```
oc kustomize ./sso-manifests | envsubst | oc apply -f -
```

Create our Application Specific Configuration

cat ./rhdh-manifests/keycloak/app-config-rhdh.yaml  | envsubst '${NAMESPACE}' | oc apply -n ${NAMESPACE} -f -

cat ./rhdh-manifests/keycloak/policy-configmap.yaml  | envsubst '${NAMESPACE}' | oc apply -n ${NAMESPACE} -f -

Wait for Keycloak Instance to be Ready(Can copy all)

csv=$(oc get subscriptions.operators.coreos.com/rhsso-operator -n ${NAMESPACE} -o jsonpath='{.status.installedCSV}');


oc wait --for=jsonpath='{.status.phase}'=Succeeded ClusterServiceVersion/$csv --allow-missing-template-keys=true --timeout=150s -n $NAMESPACE;

until [ $(curl -k -s -o /dev/null -I -w "%{http_code}" ${KEYCLOAK_BASE_URL}/auth/realms/${KEYCLOAK_REALM}/.well-known/openid-configuration) -eq "200" ];do echo -e "Waiting for Keycloak instance endpoint to become ready at ${KEYCLOAK_BASE_URL}/auth/realms/${KEYCLOAK_REALM}/.well-known/openid-configuration \n" && sleep 10;done

oc wait --for=jsonpath='{.status.ready}'=true --allow-missing-template-keys=true --timeout=120s Keycloak/backstage -n $NAMESPACE

Update Helm Information

helm repo update openshift-helm-charts

helm show values openshift-helm-charts/redhat-developer-hub --version 1.1.0 > ./rhdh-manifests/base/values.yaml

Create our Developer Release via Helm(By Merging files manually)

yq eval-all '. as $item ireduce ({}; . *+ $item)' ./rhdh-manifests/base/values.yaml ./rhdh-manifests/keycloak/values.yaml  > ./rhdh-manifests/keycloak/values-new.yaml

helm upgrade -i developer-hub openshift-helm-charts/redhat-developer-hub \
--version 1.1.0 \
-f ./rhdh-manifests/keycloak/values-new.yaml \
-n ${NAMESPACE}

It takes a few minutes , but Developer Hub should become available at

oc get route developer-hub -n ${NAMESPACE} -o jsonpath='{.spec.host}'

Clean Up - Sample 1

export NAMESPACE=backstage-test;
helm uninstall developer-hub -n ${NAMESPACE};
oc kustomize ./sso-manifests | envsubst | oc delete -f - ; \
oc kustomize ./sso-operator/ | envsubst | oc delete -f - ; \
oc kustomize ./namespace | envsubst | oc delete -f -

Sample 2 - RHDH and Jenkins with Keycloak

Show Jenkins integration using Jenkins on OpenShift and Keycloak for authentication

Requirements

Tested with Jenkins 2.401.1
Tested with Jenkins OpenShift template with Jenkins OpenShift Oauth

Steps

Run steps from Sample 1 above to deploy Keycloak

Let's start the deploy for a Jenkins Example
Set your jenkins namespace.An example Jenkins Installation and pipeline are provided. The below command should spin up a Jenkins Instance in namespace 1234-Jenkins, build an agent image and run the pipeline build
```
./jenkins/deploy/deploy-script.sh
```
set namespace for Jenkins(From our example above it's 1234-jenkins)
```
export JENKINS_NAMESPACE=1234-jenkins
```
Set the Service Account being used for jenkins for authentication, example above used Jenkins.
```
export JENKINS_SA=jenkins
```

Set Jenkins username, for example above we use the SA. If different use yours

export JENKINS_USERNAME="system:serviceaccount:${JENKINS_NAMESPACE}:${JENKINS_SA}-admin-edit-view"

Obtain Jenkins route

export JENKINS_ROUTE=$(oc get route jenkins -n ${JENKINS_NAMESPACE} -o jsonpath='{.spec.host}')

Obtain the SA token

TOKEN_SECRET_NAME=$(oc describe sa/${JENKINS_SA} -n ${JENKINS_NAMESPACE} | grep Tokens | head -n 1 | cut -d ":" -f2 | tr -d " ")

USER_TOKEN=$(oc get secret ${TOKEN_SECRET_NAME} -o=jsonpath={.data.token} -n ${JENKINS_NAMESPACE} | base64 -d)

Obtain a Jenkins API token

export JENKINS_API_TOKEN=$(curl -k -X POST -H "Authorization: Bearer ${USER_TOKEN}" "https://${JENKINS_ROUTE}/user/${JENKINS_USERNAME}/descriptorByName/jenkins.security.ApiTokenProperty/generateNewToken" --data 'newTokenName=backstage-token' | jq '.data.tokenValue' | tr -d '"')

We need to create our jenkins secret for backstage to use

cat ./jenkins/jenkins-backstage-secret.yaml | envsubst | oc apply -f -

Update Helm Information

helm repo update openshift-helm-charts

helm show values openshift-helm-charts/redhat-developer-hub --version 1.1.0 > ./rhdh-manifests/base/values.yaml

Merge Keycloak Values files with jenkins.

yq eval-all '. as $item ireduce ({}; . *+ $item)' ./rhdh-manifests/base/values.yaml ./rhdh-manifests/keycloak/values.yaml  > ./rhdh-manifests/keycloak/values-new.yaml

yq eval-all '. as $item ireduce ({}; . *+ $item)' ./rhdh-manifests/keycloak/values-new.yaml ./jenkins/values.yaml  > ./jenkins/values-new.yaml    

helm upgrade -i developer-hub openshift-helm-charts/redhat-developer-hub \
--version 1.1.0 \
-f ./jenkins/values-new.yaml \
-n ${NAMESPACE}

We should now be able to register our Jenkins component and display it
Provide this repo URL to create
After running through the registration process we should have our component available.
With CI information from Jenkins available

Clean Up - Sample 2

Clean up Sample 2

./jenkins/deploy/deploy-script.sh cleanup

Clean Up Sample 1

ibolton336 / rhdh-infra-sample Goto Github PK