Merge branch 'main' into 4410

.ibm/pipelines/value_files/values-showcase_auth-providers.yaml

@@ -0,0 +1,239 @@
+global:
+ dynamic:
+ includes:
+ - dynamic-plugins.default.yaml
+ plugins:
+ - package: ./dynamic-plugins/dist/janus-idp-backstage-plugin-keycloak-backend-dynamic
+ disabled: true
+ - package: ./dynamic-plugins/dist/backstage-plugin-catalog-backend-module-github-org-dynamic
+ disabled: true
+ - package: ./dynamic-plugins/dist/backstage-plugin-catalog-backend-module-msgraph-dynamic
+ disabled: true
+ - package: ./dynamic-plugins/dist/janus-idp-backstage-plugin-rbac
+ disabled: true
+upstream:
+ backstage:
+ appConfig:
+ signInPage: oidc
+ auth:
+ environment: production
+ session:
+ secret: superSecretSecret 
+ providers:
+ guest:
+ dangerouslyAllowOutsideDevelopment: true
+ microsoft:
+ development:
+ clientId: ${AUTH_PROVIDERS_AZURE_CLIENT_ID}
+ clientSecret: ${AUTH_PROVIDERS_AZURE_CLIENT_SECRET}
+ tenantId: ${AUTH_PROVIDERS_AZURE_TENANT_ID}
+ domainHint: ${AUTH_PROVIDERS_AZURE_TENANT_ID}
+ production:
+ clientId: ${AUTH_PROVIDERS_AZURE_CLIENT_ID}
+ clientSecret: ${AUTH_PROVIDERS_AZURE_CLIENT_SECRET}
+ tenantId: ${AUTH_PROVIDERS_AZURE_TENANT_ID}
+ domainHint: ${AUTH_PROVIDERS_AZURE_TENANT_ID}
+ github:
+ production:
+ clientSecret: ${AUTH_ORG_CLIENT_SECRET}
+ clientId: ${AUTH_ORG_CLIENT_ID}
+ oidc:
+ production:
+ metadataUrl: ${RHSSO76_METADATA_URL}
+ clientId: ${RHSSO76_CLIENT_ID}
+ clientSecret: ${RHSSO76_CLIENT_SECRET}
+ prompt: auto 
+ callbackUrl: ${RHSSO76_CALLBACK_URL}
+ integrations:
+ github:
+ - host: github.com
+ apps:
+ - appId: ${AUTH_ORG_APP_ID}
+ clientId: ${AUTH_ORG_CLIENT_ID}
+ clientSecret: ${AUTH_ORG_CLIENT_SECRET}
+ privateKey: ${AUTH_ORG1_PRIVATE_KEY}
+ webhookSecret: ${AUTH_ORG_WEBHOOK_SECRET}
+ catalog:
+ locations:
+ - type: url
+ target: https://github.com/janus-qe/auth-providers/blob/main/location.yaml
+ rules:
+ - allow: [Component, Group, User, Resource, Location, Template] 
+ providers:
+ githubOrg:
+ - id: github
+ githubUrl: https://github.com
+ orgs: ['${AUTH_PROVIDERS_GH_ORG_NAME}']
+ schedule:
+ initialDelay: { seconds: 10 }
+ frequency: { minutes: 1 }
+ timeout: { minutes: 1 }
+ microsoftGraphOrg:
+ default:
+ target: https://graph.microsoft.com/v1.0
+ authority: https://login.microsoftonline.com
+ tenantId: ${AUTH_PROVIDERS_AZURE_TENANT_ID}
+ clientId: ${AUTH_PROVIDERS_AZURE_CLIENT_ID}
+ clientSecret: ${AUTH_PROVIDERS_AZURE_CLIENT_SECRET}
+ user:
+ filter: accountEnabled eq true and userType eq 'member' and startswith(displayName,'QE')
+ group:
+ filter: >
+ securityEnabled eq true
+ and mailEnabled eq false
+ and startswith(displayName,'rhdh_test_group_')
+ schedule:
+ frequency: PT1M
+ timeout: PT1M
+ keycloakOrg:
+ default:
+ baseUrl: ${RHSSO76_URL}
+ loginRealm: ${AUTH_PROVIDERS_REALM_NAME}
+ realm: ${AUTH_PROVIDERS_REALM_NAME}
+ clientId: ${RHSSO76_CLIENT_ID}
+ clientSecret: ${RHSSO76_CLIENT_SECRET}
+ schedule:
+ frequency: { minutes: 1 }
+ timeout: { minutes: 1 }
+ permission:
+ enabled: true
+ rbac:
+ policyFileReload: true
+ policies-csv-file: './rbac/rbac-policy.csv'
+ admin:
+ users:
+ - name: user:default/qeadmin_rhdhtesting.onmicrosoft.com
+ - name: user:default/rhsso_admin
+ - name: user:default/rhdhqeauthadmin
+ extraEnvVarsSecrets:
+ - rhdh-secrets
+ image:
+ registry: quay.io
+ repository: rhdh/rhdh-hub-rhel9
+ tag: '1.3'
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthcheck
+ port: 7007
+ scheme: HTTP
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ successThreshold: 2
+ timeoutSeconds: 2
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /healthcheck
+ port: 7007
+ scheme: HTTP
+ initialDelaySeconds: 60
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 2
+ extraEnvVars:
+ - name: BACKEND_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: backend-secret
+ name: '{{ include "janus-idp.backend-secret-name" $ }}'
+ - name: POSTGRESQL_ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: postgres-password
+ name: '{{ .Release.Name }}-postgresql'
+ # disable telemetry in CI
+ - name: SEGMENT_TEST_MODE
+ value: 'true'
+ - name: NODE_OPTIONS
+ value: '--no-node-snapshot'
+ args:
+ # This additional `app-config`` file is generated by the initContainer below, and contains the merged configuration of installed dynamic plugins.
+ - '--config'
+ - dynamic-plugins-root/app-config.dynamic-plugins.yaml
+ extraVolumeMounts:
+ - mountPath: /opt/app-root/src/dynamic-plugins-root
+ name: dynamic-plugins-root
+ - name: rbac-policy
+ mountPath: /opt/app-root/src/rbac
+ extraVolumes:
+ - ephemeral:
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 2Gi
+ name: dynamic-plugins-root
+ - name: rbac-policy
+ configMap:
+ defaultMode: 420
+ name: rbac-policy
+ - configMap:
+ defaultMode: 420
+ name: dynamic-plugins
+ optional: true
+ name: dynamic-plugins
+ - name: dynamic-plugins-npmrc
+ secret:
+ defaultMode: 420
+ optional: true
+ secretName: dynamic-plugins-npmrc
+ initContainers:
+ - command:
+ - ./install-dynamic-plugins.sh
+ - /dynamic-plugins-root
+ env:
+ - name: NPM_CONFIG_USERCONFIG
+ value: /opt/app-root/src/.npmrc.dynamic-plugins
+ image: '{{ include "backstage.image" . }}'
+ imagePullPolicy: Always
+ name: install-dynamic-plugins
+ volumeMounts:
+ - mountPath: /dynamic-plugins-root
+ name: dynamic-plugins-root
+ - mountPath: /opt/app-root/src/dynamic-plugins.yaml
+ name: dynamic-plugins
+ readOnly: true
+ subPath: dynamic-plugins.yaml
+ - mountPath: /opt/app-root/src/.npmrc.dynamic-plugins
+ name: dynamic-plugins-npmrc
+ readOnly: true
+ subPath: .npmrc
+ workingDir: /opt/app-root/src
+ installDir: /opt/app-root/src
+ podAnnotations:
+ checksum/dynamic-plugins: >-
+ {{- include "common.tplvalues.render" ( dict "value"
+ .Values.global.dynamic "context" $) | sha256sum }}
+ postgresql:
+ enabled: true
+ postgresqlDataDir: /var/lib/pgsql/data/userdata
+ image:
+ registry: quay.io
+ repository: fedora/postgresql-15
+ tag: latest
+ auth:
+ secretKeys:
+ adminPasswordKey: postgres-password
+ userPasswordKey: password
+ primary:
+ securityContext:
+ enabled: false
+ podSecurityContext:
+ enabled: false
+ containerSecurityContext:
+ enabled: false
+ persistence:
+ enabled: false
+ size: 1Gi
+ mountPath: /var/lib/pgsql/data
+ extraEnvVars:
+ - name: POSTGRESQL_ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: postgres-password
+ name: '{{ .Release.Name }}-postgresql'
+ ingress:
+ host: '{{ .Values.global.host }}'

e2e-tests/package.json

@@ -30,6 +30,13 @@
  "typescript": "5.6.2"
  },
  "dependencies": {
- "node-fetch": "3.3.2"
+ "@azure/identity": "^4.4.1",
+ "@keycloak/keycloak-admin-client": "^25.0.2",
+ "@kubernetes/client-node": "^0.21.0",
+ "@microsoft/microsoft-graph-client": "^3.0.7",
+ "isomorphic-fetch": "^3.0.0",
+ "node-fetch": "3.3.2",
+ "octokit": "^4.0.2",
+ "winston": "^3.14.2"
  }
 }

e2e-tests/playwright.config.ts

@@ -53,6 +53,7 @@ export default defineConfig({
  '**/playwright/e2e/plugins/rbac/**/*.spec.ts',
  '**/playwright/e2e/plugins/analytics/analytics-disabled-rbac.spec.ts',
  '**/playwright/e2e/verify-tls-config-with-external-postgres-db.spec.ts',
+ '**/playwright/e2e/authProviders/**/*.spec.ts',
  '**/playwright/e2e/plugins/bulk-import.spec.ts',
  ],
  },
@@ -66,6 +67,29 @@ export default defineConfig({
  '**/playwright/e2e/plugins/bulk-import.spec.ts',
  ],
  },
+ {
+ name: 'showcase-auth-providers',
+ use: {
+ ...devices['Desktop Chrome'],
+ viewport: { width: 1920, height: 1080 },
+ },
+ testMatch: ['**/playwright/e2e/authProviders/*.spec.ts'],
+ testIgnore: [
+ '**/playwright/e2e/authProviders/setup-environment.spec.ts',
+ '**/playwright/e2e/authProviders/clear-environment.spec.ts',
+ ],
+ dependencies: ['showcase-auth-providers-setup-environment'],
+ teardown: 'showcase-auth-providers-clear-environment',
+ retries: 2,
+ },
+ {
+ name: 'showcase-auth-providers-setup-environment',
+ testMatch: ['**/playwright/e2e/authProviders/setup-environment.spec.ts'],
+ },
+ {
+ name: 'showcase-auth-providers-clear-environment',
+ testMatch: ['**/playwright/e2e/authProviders/clear-environment.spec.ts'],
+ },
  {
  name: 'showcase-aks',
  ...useCommonDeviceAndViewportConfig,