This repository provides sample files and instructions to play with Red Hat Developer Hub(Backstage) and different types of Infrastructure integrations. it's open to contributions
The below sample will:
- Create a project in OCP
- Install Red Hat SSO for OIDC authentication
- Create a Red Hat SSO Instance Instance,Realm and 3 Users(backstage-admin,backstage-user1,backstage-user2) with a default password of "test"
- Install Red Hat Developer Hub via Helm
- Give backstage-admin user the admin role, backstage-user1 the catalog-admin role and backstage-user2 is a standard user.
- OCP Cluster => 4.12
- oc command line tool
- Helm 3.2.0 or later is installed.
- PersistentVolume provisioner support in the underlying infrastructure is available.
- Tested with version 1.1.0 of openshift-helm-charts/redhat-developer-hub
- yq > 4
- Dependecies of the RHDH Helm Chart can change. Please review below for other dependencies.
helm show readme --version 1.1.0 openshift-helm-charts/redhat-developer-hub
Follow the steps below to install Keycloak and Red Hat Developer Hub:
-
Set Variables
Set Namespace to create resources In
export NAMESPACE=backstage-test
Set the Basedomain for OCP routes
export BASEDOMAIN=$(oc get ingresses.config.openshift.io/cluster -o jsonpath='{.spec.domain}')
Set a secret for SSO Client
export BACKSTAGE_CLIENT_SECRET=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
Set an Auth Session Secret
export AUTH_SESSION_SECRET=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
Set Keycloak Base URL
export KEYCLOAK_BASE_URL=https://keycloak-${NAMESPACE}.${BASEDOMAIN}
Set Keycloak Realm Name
export KEYCLOAK_REALM=backstage
-
Create deploy namespace
oc kustomize ./namespace | envsubst | oc apply -f -
-
Install the Red Hat SSO Operator
oc kustomize ./sso-operator/ | envsubst | oc apply -f -
-
Create the Red Hat SSO Instance,Realm,Client and User. This will create 3 users admin,user1,user2 all with a password set to the value "test".
oc kustomize ./sso-manifests | envsubst | oc apply -f -
-
Create our Application Specific Configuration
cat ./rhdh-manifests/keycloak/app-config-rhdh.yaml | envsubst '${NAMESPACE}' | oc apply -n ${NAMESPACE} -f -
cat ./rhdh-manifests/keycloak/policy-configmap.yaml | envsubst '${NAMESPACE}' | oc apply -n ${NAMESPACE} -f -
-
Wait for Keycloak Instance to be Ready(Can copy all)
csv=$(oc get subscriptions.operators.coreos.com/rhsso-operator -n ${NAMESPACE} -o jsonpath='{.status.installedCSV}'); oc wait --for=jsonpath='{.status.phase}'=Succeeded ClusterServiceVersion/$csv --allow-missing-template-keys=true --timeout=150s -n $NAMESPACE; until [ $(curl -k -s -o /dev/null -I -w "%{http_code}" ${KEYCLOAK_BASE_URL}/auth/realms/${KEYCLOAK_REALM}/.well-known/openid-configuration) -eq "200" ];do echo -e "Waiting for Keycloak instance endpoint to become ready at ${KEYCLOAK_BASE_URL}/auth/realms/${KEYCLOAK_REALM}/.well-known/openid-configuration \n" && sleep 10;done oc wait --for=jsonpath='{.status.ready}'=true --allow-missing-template-keys=true --timeout=120s Keycloak/backstage -n $NAMESPACE
-
Update Helm Information
helm repo update openshift-helm-charts helm show values openshift-helm-charts/redhat-developer-hub --version 1.1.0 > ./rhdh-manifests/base/values.yaml
-
Create our Developer Release via Helm(By Merging files manually)
yq eval-all '. as $item ireduce ({}; . *+ $item)' ./rhdh-manifests/base/values.yaml ./rhdh-manifests/keycloak/values.yaml > ./rhdh-manifests/keycloak/values-new.yaml helm upgrade -i developer-hub openshift-helm-charts/redhat-developer-hub \ --version 1.1.0 \ -f ./rhdh-manifests/keycloak/values-new.yaml \ -n ${NAMESPACE}
-
It takes a few minutes , but Developer Hub should become available at
oc get route developer-hub -n ${NAMESPACE} -o jsonpath='{.spec.host}'
export NAMESPACE=backstage-test;
helm uninstall developer-hub -n ${NAMESPACE};
oc kustomize ./sso-manifests | envsubst | oc delete -f - ; \
oc kustomize ./sso-operator/ | envsubst | oc delete -f - ; \
oc kustomize ./namespace | envsubst | oc delete -f -
Show Jenkins integration using Jenkins on OpenShift and Keycloak for authentication
- Tested with Jenkins 2.401.1
- Tested with Jenkins OpenShift template with Jenkins OpenShift Oauth
- Run steps from Sample 1 above to deploy Keycloak
-
Let's start the deploy for a Jenkins Example
-
Set your jenkins namespace.An example Jenkins Installation and pipeline are provided. The below command should spin up a Jenkins Instance in namespace 1234-Jenkins, build an agent image and run the pipeline build
./jenkins/deploy/deploy-script.sh
-
set namespace for Jenkins(From our example above it's 1234-jenkins)
export JENKINS_NAMESPACE=1234-jenkins
-
Set the Service Account being used for jenkins for authentication, example above used Jenkins.
export JENKINS_SA=jenkins
-
Set Jenkins username, for example above we use the SA. If different use yours
export JENKINS_USERNAME="system:serviceaccount:${JENKINS_NAMESPACE}:${JENKINS_SA}-admin-edit-view"
-
Obtain Jenkins route
export JENKINS_ROUTE=$(oc get route jenkins -n ${JENKINS_NAMESPACE} -o jsonpath='{.spec.host}')
-
Obtain the SA token
TOKEN_SECRET_NAME=$(oc describe sa/${JENKINS_SA} -n ${JENKINS_NAMESPACE} | grep Tokens | head -n 1 | cut -d ":" -f2 | tr -d " ") USER_TOKEN=$(oc get secret ${TOKEN_SECRET_NAME} -o=jsonpath={.data.token} -n ${JENKINS_NAMESPACE} | base64 -d)
-
Obtain a Jenkins API token
export JENKINS_API_TOKEN=$(curl -k -X POST -H "Authorization: Bearer ${USER_TOKEN}" "https://${JENKINS_ROUTE}/user/${JENKINS_USERNAME}/descriptorByName/jenkins.security.ApiTokenProperty/generateNewToken" --data 'newTokenName=backstage-token' | jq '.data.tokenValue' | tr -d '"')
-
We need to create our jenkins secret for backstage to use
cat ./jenkins/jenkins-backstage-secret.yaml | envsubst | oc apply -f -
-
Update Helm Information
helm repo update openshift-helm-charts helm show values openshift-helm-charts/redhat-developer-hub --version 1.1.0 > ./rhdh-manifests/base/values.yaml
-
Merge Keycloak Values files with jenkins.
yq eval-all '. as $item ireduce ({}; . *+ $item)' ./rhdh-manifests/base/values.yaml ./rhdh-manifests/keycloak/values.yaml > ./rhdh-manifests/keycloak/values-new.yaml yq eval-all '. as $item ireduce ({}; . *+ $item)' ./rhdh-manifests/keycloak/values-new.yaml ./jenkins/values.yaml > ./jenkins/values-new.yaml helm upgrade -i developer-hub openshift-helm-charts/redhat-developer-hub \ --version 1.1.0 \ -f ./jenkins/values-new.yaml \ -n ${NAMESPACE}
-
We should now be able to register our Jenkins component and display it
-
After running through the registration process we should have our component available.
-
With CI information from Jenkins available
-
Clean up Sample 2
./jenkins/deploy/deploy-script.sh cleanup