config

2026-04-23 20:31:04 +02:00
parent dc7074312b
commit 34ff37edbf
5 changed files with 125 additions and 23 deletions
--- a/cluster-resources/backstage-keycloak-client-config.yaml
+++ b/cluster-resources/backstage-keycloak-client-config.yaml
@@ -0,0 +1,43 @@
 # Self-service Keycloak client config for Backstage.
 # Kyverno clones this to the keycloak namespace, where the
 # keycloak-client-registrar CronJob processes it and creates
 # the backstage-oidc-credentials Secret in the backstage namespace.
 apiVersion: v1
 kind: Secret
 metadata:
  name: keycloak-client-backstage
  namespace: backstage
  labels:
    keycloak.forteapps.net/client-config: "true"
 stringData:
  client.json: |
    {
      "clientId": "backstage",
      "name": "Backstage Developer Portal",
      "redirectUris": ["https://backstage.forteapps.net/api/auth/oidc/handler/frame"],
      "webOrigins": ["https://backstage.forteapps.net"],
      "defaultClientScopes": ["openid", "email", "profile"],
      "protocolMappers": [
        {
          "name": "email_verified",
          "protocol": "openid-connect",
          "protocolMapper": "oidc-hardcoded-claim-mapper",
          "config": {
            "claim.name": "email_verified",
            "claim.value": "true",
            "jsonType.label": "boolean",
            "id.token.claim": "true",
            "access.token.claim": "true",
            "userinfo.token.claim": "true"
          }
        }
      ],
      "secret": {
        "namespace": "backstage",
        "name": "backstage-oidc-credentials",
        "keys": {
          "clientId": "AUTH_OIDC_CLIENT_ID",
          "clientSecret": "AUTH_OIDC_CLIENT_SECRET"
        }
      }
    }
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -986,15 +986,18 @@ ignore:
 - Dynamic plugins: loads `dynamic-plugins.default.yaml` (all 27+ bundled plugins)
 - Catalog rules: Component, System, API, Resource, Location, Template, Group, User, Domain
-**Dynamic Plugins**:
+**Authentication** (Keycloak OIDC):
-Add plugins at runtime via `global.dynamic.plugins` in values — no image rebuild:
+- Uses the self-service registrar pattern (see [Keycloak Client Registrar](#keycloak-client-registrar))
-```yaml
+- Config Secret: `cluster-resources/backstage-keycloak-client-config.yaml`
-global:
+- Kyverno clones it → registrar creates `backstage-oidc-credentials` Secret in `backstage` namespace
-  dynamic:
+- Credential keys: `AUTH_OIDC_CLIENT_ID`, `AUTH_OIDC_CLIENT_SECRET` (loaded via `extraEnvVarsSecrets`)
-    plugins:
+- Redirect URI: `https://backstage.forteapps.net/api/auth/oidc/handler/frame`
-    - package: "@scope/my-plugin@1.0.0"
+- Sign-in resolver: `emailMatchingUserEntityProfileEmail`
-      integrity: "sha512-..."
+
-```
+**Catalog Discovery** (Gitea):
 - Auto-discovers `catalog-info.yaml` from all repos in the `Forte` organization
 - Scans every 30 minutes via the Gitea catalog provider plugin
 - Gitea SCM integration configured for URL resolution (`git.forteapps.net`)
 **Catalog Registration**:
 Teams register services by adding a `catalog-info.yaml` to their repo root:
@@ -1012,22 +1015,31 @@ spec:
  owner: team-name
 ```
-Then add the location to `backstage-values.yaml` under `upstream.backstage.appConfig.catalog.locations`.
+Repos with this file are auto-discovered — no manual registration needed.
-**Per-cluster Configuration**:
+**Dynamic Plugins**:
-To set the ingress hostname, create a per-cluster overlay values file (e.g., `infra/values/upc-dev/backstage-values.yaml`) with:
+Add plugins at runtime via `global.dynamic.plugins` in values — no image rebuild:
 ```yaml
 global:
-  host: backstage.example.com
+  dynamic:
    plugins:
    - package: "@scope/my-plugin@1.0.0"
      integrity: "sha512-..."
 ```
 **Per-cluster Configuration** (`infra/values/upc-dev/backstage-values.yaml`):
 ```yaml
 global:
  host: backstage.forteapps.net
 upstream:
  backstage:
    appConfig:
      app:
-        baseUrl: https://backstage.example.com
+        baseUrl: https://backstage.forteapps.net
      backend:
-        baseUrl: https://backstage.example.com
+        baseUrl: https://backstage.forteapps.net
  ingress:
-    host: backstage.example.com
+    host: backstage.forteapps.net
 ```
 ### Keycloak Client Registrar
--- a/infra/base/backstage.yaml
+++ b/infra/base/backstage.yaml
@@ -22,6 +22,7 @@ spec:
      releaseName: backstage
      valueFiles:
      - $values/infra/values/base/backstage-values.yaml
      - $values/infra/values/upc-dev/backstage-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/values/base/backstage-values.yaml
+++ b/infra/values/base/backstage-values.yaml
@@ -36,9 +36,12 @@ upstream:
        cpu: 1000m
        memory: 2560Mi
    extraEnvVarsSecrets:
    - backstage-oidc-credentials
    appConfig:
      app:
-        title: "Forte Developer Portal"
+        title: "Forte Backstage"
        baseUrl: http://localhost:7007
      backend:
@@ -47,6 +50,27 @@ upstream:
          client: better-sqlite3
          connection: ":memory:"
      # -- Keycloak OIDC authentication
      signInPage: oidc
      auth:
        environment: production
        providers:
          oidc:
            production:
              metadataUrl: https://id.forteapps.net/realms/forte/.well-known/openid-configuration
              clientId: ${AUTH_OIDC_CLIENT_ID}
              clientSecret: ${AUTH_OIDC_CLIENT_SECRET}
              prompt: auto
              signIn:
                resolvers:
                - resolver: emailMatchingUserEntityProfileEmail
      # -- Gitea SCM integration (for catalog URL resolution)
      integrations:
        gitea:
        - host: git.forteapps.net
      # -- Software catalog
      catalog:
        rules:
        - allow:
@@ -59,12 +83,22 @@ upstream:
          - Group
          - User
          - Domain
-        locations: []
+        providers:
-        # Register components from Gitea repositories by adding:
+          # Auto-discover catalog-info.yaml from all Forte org repos
          gitea:
            forte:
              organization: Forte
              host: git.forteapps.net
              catalogPath: catalog-info.yaml
              schedule:
                frequency: { minutes: 30 }
                timeout: { minutes: 3 }
        locations:
          # Backstage's own org data (bootstrap teams, systems, domains)
          # - type: url
-        #   target: https://git.forteapps.net/Forte/my-repo/raw/branch/main/catalog-info.yaml
+          #   target: https://git.forteapps.net/Forte/backstage-catalog/raw/branch/main/org.yaml
          #   rules:
-        #   - allow: [Component, System, API]
+          #   - allow: [Group, User, System, Domain]
  ingress:
    enabled: true
--- a/infra/values/upc-dev/backstage-values.yaml
+++ b/infra/values/upc-dev/backstage-values.yaml
@@ -0,0 +1,12 @@
 global:
  host: backstage.forteapps.net
 upstream:
  backstage:
    appConfig:
      app:
        baseUrl: https://backstage.forteapps.net
      backend:
        baseUrl: https://backstage.forteapps.net
  ingress:
    host: backstage.forteapps.net