feature/backstage

2026-04-23 23:03:13 +02:00
parent aa6775bed2
commit fbd1d10544
9 changed files with 334 additions and 48 deletions
--- a/cluster-resources/backstage-keycloak-client-config.yaml
+++ b/cluster-resources/backstage-keycloak-client-config.yaml
@@ -0,0 +1,43 @@
+# Self-service Keycloak client config for Backstage.
+# Kyverno clones this to the keycloak namespace, where the
+# keycloak-client-registrar CronJob processes it and creates
+# the backstage-oidc-credentials Secret in the backstage namespace.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-client-backstage
+  namespace: backstage
+  labels:
+    keycloak.forteapps.net/client-config: "true"
+stringData:
+  client.json: |
+    {
+      "clientId": "backstage",
+      "name": "Backstage Developer Portal",
+      "redirectUris": ["https://backstage.forteapps.net/api/auth/oidc/handler/frame"],
+      "webOrigins": ["https://backstage.forteapps.net"],
+      "defaultClientScopes": ["openid", "email", "profile"],
+      "protocolMappers": [
+        {
+          "name": "email_verified",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-hardcoded-claim-mapper",
+          "config": {
+            "claim.name": "email_verified",
+            "claim.value": "true",
+            "jsonType.label": "boolean",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "userinfo.token.claim": "true"
+          }
+        }
+      ],
+      "secret": {
+        "namespace": "backstage",
+        "name": "backstage-oidc-credentials",
+        "keys": {
+          "clientId": "AUTH_OIDC_CLIENT_ID",
+          "clientSecret": "AUTH_OIDC_CLIENT_SECRET"
+        }
+      }
+    }
--- a/cluster-resources/policies/label-checker.yaml
+++ b/cluster-resources/policies/label-checker.yaml
@@ -1,41 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: require-labels
-  annotations:
-    policies.kyverno.io/title: Require Labels
-    policies.kyverno.io/category: Best Practices
-    policies.kyverno.io/minversion: 1.6.0
-    policies.kyverno.io/severity: medium
-    policies.kyverno.io/subject: Pod, Label
-    policies.kyverno.io/description: Define and use labels that identify semantic attributes of your application or Deployment. A common set of labels allows tools to work collaboratively, describing objects in a common manner that all tools can understand. The recommended labels describe applications in a way that can be queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.
-spec:
-  validationFailureAction: Audit
-  background: true
-  rules:
-  - name: check-for-labels
-    skipBackgroundRequests: true
-    exclude:
-      any:
-      - resources:
-          namespaces:
-          - kube-system
-          - istio-system
-          - argocd
-          - cert-manager
-          - monitoring
-          - secrets
-          - kyverno
-          - trivy-system
-    match:
-      any:
-      - resources:
-          kinds:
-          - Pod
-    validate:
-      message: The label `app.kubernetes.io/name` is required.
-      allowExistingViolations: true
-      pattern:
-        metadata:
-          labels:
-            app.kubernetes.io/name: "?*"