Adapting the kustomize resourcesf for backstage app

Author: LukasCuperDT

kubernetes/helm_charts/local/argo-cd/values/preprod/values-argocd-applications.yaml

@@ -310,29 +310,63 @@ applications:
 ########## KUSTOMIZE APPS ###########
 #####################################
 
-  - name: kustomize-backstage-dev
+  # - name: kustomize-backstage-dev
+  #   clusters: [preprod]
+  #   config:
+  #     namespace: backstage-dev
+  #     repoURL: 'https://github.com/opentelekomcloud-infra/system-config.git'
+  #     targetRevision: 'Providing_backstage_kustomize_app'
+  #     path: kubernetes/kustomize/backstage/overlays/dev/
+  #     project: infra
+  #     kustomize: {}
+  #     syncPolicy:
+  #       automated:
+  #         prune: true
+  #         selfHeal: true
+  #       syncOptions:
+  #         - CreateNamespace=true
+
+  - name: openapi-validator
     clusters: [preprod]
     config:
-      namespace: backstage-dev
+      namespace: openapi-validator
+      repoURL: 'https://github.com/opentelekomcloud-infra/system-config.git'
+      targetRevision: 'Helm_charts_restructure&Pre-Prod_setup'
+      path: kubernetes/kustomize/openapi-validator/overlays/dev/
+      pluginName: argocd-vault-plugin-kustomize
+      pluginEnv: '.'
+      project: infra
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
+        syncOptions:
+          - CreateNamespace=true
+
+  - name: redis
+    clusters: [preprod]
+    config:
+      namespace: redis
       repoURL: 'https://github.com/opentelekomcloud-infra/system-config.git'
       targetRevision: 'Providing_backstage_kustomize_app'
-      path: kubernetes/kustomize/backstage/overlays/dev/
+      path: kubernetes/kustomize/redis/
+      pluginName: argocd-vault-plugin-kustomize
+      pluginEnv: '.'
       project: infra
-      kustomize: {}
       syncPolicy:
         automated:
           prune: true
           selfHeal: true
         syncOptions:
           - CreateNamespace=true
 
-  - name: openapi-validator
+  - name: backstage
     clusters: [preprod]
     config:
-      namespace: openapi-validator
+      namespace: backstage
       repoURL: 'https://github.com/opentelekomcloud-infra/system-config.git'
-      targetRevision: 'Helm_charts_restructure&Pre-Prod_setup'
-      path: kubernetes/kustomize/openapi-validator/overlays/dev/
+      targetRevision: 'Providing_backstage_kustomize_app'
+      path: kubernetes/kustomize/backstage/overlays/preprod/
       pluginName: argocd-vault-plugin-kustomize
       pluginEnv: '.'
       project: infra

kubernetes/kustomize/backstage/base/backstage.env

@@ -1,3 +1,4 @@
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -23,11 +24,29 @@ spec:
           ports:
             - name: http
               containerPort: 7007
+          env:
+            # Static configuration
+            - name: APP_CONFIG
+              value: "/app/app-config.production.yaml"
+            - name: POSTGRES_PORT
+              value: "5432"
+            # Default values (can be overridden in overlays)
+            - name: LOG_LEVEL
+              value: "info"
+            - name: NODE_ENV
+              value: "production"
+            - name: AUTH_ENVIRONMENT
+              value: "production"
+            - name: DANGEROUS_DISABLE_AUTH_POLICY
+              value: "false"
           envFrom:
-            - configMapRef:
-                name: config
             - secretRef:
                 name: backstage-secret
+          volumeMounts:
+            - name: app-config
+              mountPath: /app/app-config.production.yaml
+              subPath: app-config.production.yaml
+              readOnly: true
           resources:
             requests:
               cpu: "50m"
@@ -36,12 +55,26 @@ spec:
               cpu: "500m"
               memory: "500Mi"
           readinessProbe:
-            tcpSocket:
+            httpGet:
+              path: /healthcheck
               port: 7007
-            initialDelaySeconds: 20
-            periodSeconds: 10
+            initialDelaySeconds: 60
+            periodSeconds: 30
+            timeoutSeconds: 10
+            failureThreshold: 5
           livenessProbe:
-            tcpSocket:
+            httpGet:
+              path: /healthcheck
               port: 7007
-            initialDelaySeconds: 20
-            periodSeconds: 5
+            initialDelaySeconds: 120
+            periodSeconds: 30
+            timeoutSeconds: 10
+            failureThreshold: 3
+      volumes:
+        - name: app-config
+          secret:
+            secretName: backstage-secret
+            items:
+              - key: app-config.production.yaml
+                path: app-config.production.yaml
+            defaultMode: 0400

kubernetes/kustomize/backstage/base/deployment.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
@@ -15,13 +16,3 @@ resources:
 - deployment.yaml
 - sa.yaml
 - secret.yaml
-
-configMapGenerator:
-- name: config
-  envs:
-  - backstage.env
-
-generatorOptions:
-  disableNameSuffixHash: false
-  labels:
-    app.kubernetes.io/managed-by: kustomize

kubernetes/kustomize/backstage/base/kustomization.yaml

@@ -6,20 +6,149 @@ metadata:
 type: Opaque
 stringData:
   # Database configuration
-  POSTGRES_HOST: <path:secret/data/backstage/database#host>
-  POSTGRES_PORT: <path:secret/data/backstage/database#port>
-  POSTGRES_USER: <path:secret/data/backstage/database#username>
-  POSTGRES_PASSWORD: <path:secret/data/backstage/database#password>
+  POSTGRES_HOST: <path:secret/data/postgresql/backstage#host>
+  POSTGRES_USER: <path:secret/data/postgresql/backstage#username>
+  POSTGRES_PASSWORD: <path:secret/data/postgresql/backstage#password>
 
-  # Auth configuration
-  AUTH_GITHUB_CLIENT_ID: <path:secret/data/backstage/auth#github_client_id>
-  AUTH_GITHUB_CLIENT_SECRET: >-
-    <path:secret/data/backstage/auth#github_client_secret>
+  # Backend configuration
+  BACKEND_SECRET: <path:secret/data/backstage/config#backend_secret>
+  BACKSTAGE_BASE_URL: https://<path:secret/data/backstage/config#base_url>
 
-  # Integration tokens
-  GITHUB_TOKEN: <path:secret/data/backstage/integrations#github_token>
-  GITLAB_TOKEN: <path:secret/data/backstage/integrations#gitlab_token>
+  # GitHub Auth configuration
+  AUTH_GITHUB_CLIENT_ID: ""
+  AUTH_GITHUB_CLIENT_SECRET: ""
 
-  # App configuration
-  BACKEND_SECRET: <path:secret/data/backstage/config#backend_secret>
-  CATALOG_TOKEN: <path:secret/data/backstage/config#catalog_token>
+  # GitHub Integration configuration
+  GITHUB_APP_ID: ""
+  GITHUB_CLIENT_ID: ""
+  GITHUB_CLIENT_SECRET: ""
+  GITHUB_WEBHOOK_SECRET: ""
+  GITHUB_PRIVATE_KEY: ""
+
+  # Gitea configuration
+  GITEA_CLIENT_ID: <path:secret/data/backstage/gitea#clientId>
+  GITEA_CLIENT_SECRET: <path:secret/data/backstage/gitea#clientSecret>
+  GITEA_TOKEN: <path:secret/data/backstage/gitea#token>
+  GITEA_URL: <path:secret/data/gitea/config#gitea_address>
+
+  # Zitadel/OIDC configuration
+  ZITADEL_PROJECT_ID: <path:secret/data/backstage/zitadel#projectId>
+  ZITADEL_CLIENT_ID: <path:secret/data/backstage/zitadel#clientId>
+  ZITADEL_CLIENT_SECRET: <path:secret/data/backstage/zitadel#clientSecret>
+  ZITADEL_URL: https://<path:secret/data/zitadel/config#base_url>
+
+  # Kubernetes configuration
+  K8S_INFRA2_TOKEN: ""
+
+  # Grafana configuration
+  GRAFANA_TOKEN: ""
+
+  # Dependency Track configuration
+  DEPENDENCYTRACK_TOKEN: ""
+
+  # Secure configuration file - this replaces the ConfigMap
+  app-config.production.yaml: |
+    app:
+      baseUrl: ${BACKSTAGE_BASE_URL}
+
+    backend:
+      auth:
+        dangerouslyDisableDefaultAuthPolicy: ${DANGEROUS_DISABLE_AUTH_POLICY}
+      baseUrl: ${BACKSTAGE_BASE_URL}
+      listen:
+        port: 7007
+      cors:
+        origin: ${BACKSTAGE_BASE_URL}
+      database:
+        client: pg
+        connection:
+          host: ${POSTGRES_HOST}
+          port: ${POSTGRES_PORT}
+          user: ${POSTGRES_USER}
+          password: ${POSTGRES_PASSWORD}
+          database: backstage
+
+    auth:
+      environment: ${AUTH_ENVIRONMENT}
+      providers:
+        oauth2Proxy: {}
+        github:
+          development:
+            clientId: ${GITHUB_CLIENT_ID}
+            clientSecret: ${GITHUB_CLIENT_SECRET}
+          production:
+            clientId: ${GITHUB_CLIENT_ID}
+            clientSecret: ${GITHUB_CLIENT_SECRET}
+        gitea:
+          development:
+            metadataUrl: https://${GITEA_URL}/.well-known/openid-configuration
+            authorizationUrl: https://${GITEA_URL}/login/oauth/authorize
+            tokenUrl: https://${GITEA_URL}/login/oauth/access_token
+            clientId: ${GITEA_CLIENT_ID}
+            clientSecret: ${GITEA_CLIENT_SECRET}
+
+    catalog:
+      providers:
+        zitadelOrg:
+          default:
+            baseUrl: ${ZITADEL_URL}
+            projectId: ${ZITADEL_PROJECT_ID}
+            clientId: ${ZITADEL_CLIENT_ID}
+            clientSecret: ${ZITADEL_CLIENT_SECRET}
+      rules:
+        - allow: [Component, System, API, Resource, Location, Group, User, Template]
+      locations:
+        - type: url
+          target: https://${GITEA_URL}/backstage/catalog/contents/blob/main/otc-catalog.yaml
+          rules:
+            - allow: [Domain, Group, User, Location, Component, Resource, API, System]
+        - type: url
+          target: https://${GITEA_URL}/backstage/catalog-compute/contents/blob/main/catalog.yaml
+        - type: url
+          target: https://${GITEA_URL}/backstage/catalog-ecosystem/contents/blob/main/catalog.yaml
+        - type: url
+          target: https://github.com/opentelekomcloud-infra/backstage-templates/blob/main/catalog.yaml
+          rules:
+            - allow: [Template]
+
+    integrations:
+      gitea:
+        - host: ${GITEA_URL}
+          password: ${GITEA_TOKEN}
+      github:
+        - host: github.com
+          apps:
+            - appId: ${GITHUB_APP_ID}
+              clientId: ${GITHUB_CLIENT_ID}
+              clientSecret: ${GITHUB_CLIENT_SECRET}
+              webhookSecret: ${GITHUB_WEBHOOK_SECRET}
+              privateKey: |
+                ${GITHUB_PRIVATE_KEY}
+
+    kubernetes:
+      serviceLocatorMethod:
+        type: 'multiTenant'
+      clusterLocatorMethods:
+        - type: 'config'
+          clusters:
+            - name: ""
+              authProvider: 'serviceAccount'
+              skipTLSVerify: true
+              skipMetricsLookup: true
+              url: ''
+              serviceAccountToken: ${K8S_INFRA2_TOKEN}
+
+    proxy:
+      '/grafana/api':
+        target: https://dashboard.eco-preprod.tsi-dev.otc-service.com
+        headers:
+          Authorization: "Bearer ${GRAFANA_TOKEN}"
+      '/dependencytrack':
+        target: https://dependencytrack.eco-preprod.tsi-dev.otc-service.com
+        allowedMethods: ['GET']
+        headers:
+          X-Api-Key: "${DEPENDENCYTRACK_TOKEN}"
+      '/quay/api':
+        target: 'https://quay.io'
+        headers:
+          X-Requested-With: 'XMLHttpRequest'

kubernetes/kustomize/backstage/base/secret.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: backstage
+spec:
+  template:
+    spec:
+      containers:
+        - name: backstage
+          env:
+            - name: LOG_LEVEL
+              value: "debug"
+            - name: NODE_ENV
+              value: "preprod"
+            - name: AUTH_ENVIRONMENT
+              value: "development"
+            - name: DANGEROUS_DISABLE_AUTH_POLICY
+              value: "true"