From 284a2e5577f576414e9d8783bacd2f26bbccf9b2 Mon Sep 17 00:00:00 2001 From: yogananth subramanian Date: Mon, 17 Jun 2024 13:16:34 +0530 Subject: [PATCH] fix(RHIDP-2305): Fix populating components using keycloak. Fixes uploading entities and wait_for_indexing to use keycloak authentication. --- Makefile | 2 + ci-scripts/rhdh-setup/create_resource.sh | 95 +++++++++++++++++++--- ci-scripts/scalability/test-scalability.sh | 12 ++- 3 files changed, 97 insertions(+), 12 deletions(-) diff --git a/Makefile b/Makefile index 7447094..663a7d7 100644 --- a/Makefile +++ b/Makefile @@ -62,6 +62,8 @@ export TMP_DIR=$(shell readlink -m .tmp) # Local directory to store artifacts export ARTIFACT_DIR ?= $(shell readlink -m .artifacts) +export PROJ_ROOT := $(dir $(abspath $(lastword $(MAKEFILE_LIST)))) + # Name of the namespace to install locust operator as well as to run Pods of master and workers. LOCUST_NAMESPACE=locust-operator diff --git a/ci-scripts/rhdh-setup/create_resource.sh b/ci-scripts/rhdh-setup/create_resource.sh index ae1f5a8..2499582 100755 --- a/ci-scripts/rhdh-setup/create_resource.sh +++ b/ci-scripts/rhdh-setup/create_resource.sh @@ -15,6 +15,8 @@ WORKDIR=$(readlink -m .) kc_lockfile="$TMP_DIR/kc.lockfile" +COOKIE="$TMP_DIR/cookie.jar" + keycloak_url() { f="$TMP_DIR/keycloak.url" exec 4>"$kc_lockfile" @@ -40,7 +42,7 @@ backstage_url() { exit 1 } if [ ! -f "$f" ]; then - if [ "$INSTALL_METHOD" == "helm" ]; then + if [ "$RHDH_INSTALL_METHOD" == "helm" ]; then rhdh_route="${RHDH_HELM_RELEASE_NAME}-${RHDH_HELM_CHART}" else rhdh_route="backstage-developer-hub" @@ -83,6 +85,7 @@ create_per_grp() { } clone_and_upload() { + ACCESS_TOKEN=$(get_token "rhdh") echo "[INFO][$(date --utc -Ins)] Uploading entities to GitHub" git_str="${GITHUB_USER}:${GITHUB_TOKEN}@github.com" base_name=$(basename "$GITHUB_REPO") @@ -104,12 +107,12 @@ clone_and_upload() { git push -f --set-upstream origin "$tmp_branch" cd .. sleep 5 - rhdh_token=$(curl -s -k "$(backstage_url)/api/auth/guest/refresh" | jq -r '.backstageIdentity.token') for filename in "${files[@]}"; do e_count=$(yq eval '.metadata.name | capture(".*-(?P[0-9]+)").value' "$filename" | tail -n 1) upload_url="${GITHUB_REPO%.*}/blob/${tmp_branch}/$(basename "$filename")" echo "Uploading entities from $upload_url" - curl -k "$(backstage_url)/api/catalog/locations" -X POST -H 'Accept-Encoding: gzip, deflate, br' -H 'Authorization: Bearer '"$rhdh_token" -H 'Content-Type: application/json' --data-raw '{"type":"url","target":"'"${upload_url}"'"}' + curl -k "$(backstage_url)/api/catalog/locations" --cookie "$COOKIE" --cookie-jar "$COOKIE" -X POST -H 'Accept-Encoding: gzip, deflate, br' -H 'Authorization: Bearer '"$ACCESS_TOKEN" -H 'Content-Type: application/json' --data-raw '{"type":"url","target":"'"${upload_url}"'"}' + timeout_timestamp=$(date -d "300 seconds" "+%s") while true; do @@ -117,8 +120,8 @@ clone_and_upload() { echo "ERROR: Timeout waiting on entity count" exit 1 else - if [[ 'component-*.yaml' == "${1}" ]]; then b_count=$(curl -s -k "$(backstage_url)/api/catalog/entity-facets?facet=kind" -H 'Content-Type: application/json' -H 'Authorization: Bearer '"$rhdh_token" | jq -r '.facets.kind[] | select(.value == "Component")| .count'); fi - if [[ 'api-*.yaml' == "${1}" ]]; then b_count=$(curl -s -k "$(backstage_url)/api/catalog/entity-facets?facet=kind" -H 'Content-Type: application/json' -H 'Authorization: Bearer '"$rhdh_token" | jq -r '.facets.kind[] | select(.value == "API")| .count'); fi + if [[ 'component-*.yaml' == "${1}" ]]; then b_count=$(curl -s -k "$(backstage_url)/api/catalog/entity-facets?facet=kind" --cookie "$COOKIE" --cookie-jar "$COOKIE" -H 'Content-Type: application/json' -H 'Authorization: Bearer '"$ACCESS_TOKEN" | jq -r '.facets.kind[] | select(.value == "Component")| .count'); fi + if [[ 'api-*.yaml' == "${1}" ]]; then b_count=$(curl -s -k "$(backstage_url)/api/catalog/entity-facets?facet=kind" --cookie "$COOKIE" --cookie-jar "$COOKIE" -H 'Content-Type: application/json' -H 'Authorization: Bearer '"$ACCESS_TOKEN" | jq -r '.facets.kind[] | select(.value == "API")| .count'); fi if [[ $b_count -ge $e_count ]]; then break; fi fi echo "Waiting for the entity count to be ${e_count} (current: ${b_count})" @@ -195,8 +198,67 @@ log_token_err() { log_token "$1" "ERROR" } +keycloak_token() { + curl -s -k "$(keycloak_url)/auth/realms/master/protocol/openid-connect/token" -d username=admin -d "password=${keycloak_pass}" -d 'grant_type=password' -d 'client_id=admin-cli' | jq -r ".expires_in_timestamp = $(date -d '30 seconds' +%s)" +} + +rhdh_token() { + REDIRECT_URL="$(backstage_url)/oauth2/callback" + REFRESH_URL="$(backstage_url)/api/auth/oauth2Proxy/refresh" + USERNAME="test1" + PASSWORD=$(oc -n "${RHDH_NAMESPACE}" get secret perf-test-secrets -o template --template='{{.data.keycloak_user_pass}}' | base64 -d) + REALM="backstage" + CLIENTID="backstage" + + if [[ "${AUTH_PROVIDER}" != "keycloak" ]]; then + ACCESS_TOKEN=$(curl -s -k --cookie "$COOKIE" --cookie-jar "$COOKIE" "$(backstage_url)/api/auth/guest/refresh" | jq -r ".backstageIdentity" | jq -r ".expires_in_timestamp = $(date -d '50 minutes' +%s)") + echo "$ACCESS_TOKEN" + return + fi + + LOGIN_URL=$(curl -I -k -sSL --cookie "$COOKIE" --cookie-jar "$COOKIE" "$REFRESH_URL") + state=$(echo "$LOGIN_URL" | grep -oP 'state=\K[^ ]+' | sed 's/%2F/\//g;s/%3A/:/g') + + AUTH_URL=$(curl -k -sSL --get --cookie "$COOKIE" --cookie-jar "$COOKIE" \ + --data-urlencode "client_id=${CLIENTID}" \ + --data-urlencode "state=${state}" \ + --data-urlencode "redirect_uri=${REDIRECT_URL}" \ + --data-urlencode "scope=openid email profile" \ + --data-urlencode "response_type=code" \ + "$(keycloak_url)/auth/realms/$REALM/protocol/openid-connect/auth" | grep -oP 'action="\K[^"]+') + + execution=$(echo "$AUTH_URL" | grep -oP 'execution=\K[^&]+') + tab_id=$(echo "$AUTH_URL" | grep -oP 'tab_id=\K[^&]+') + AUTHENTICATE_URL=$(echo "$AUTH_URL" | sed -e 's/\&/\&/g') + + CODE_URL=$(curl -k -sS --cookie "$COOKIE" --cookie-jar "$COOKIE" \ + --data-raw "username=${USERNAME}&password=${PASSWORD}&credentialId=" \ + --data-urlencode "client_id=${CLIENTID}" \ + --data-urlencode "tab_id=${tab_id}" \ + --data-urlencode "execution=${execution}" \ + --write-out "%{REDIRECT_URL}" \ + "$AUTHENTICATE_URL") + + code=$(echo "$CODE_URL" | grep -oP 'code=\K[^"]+') + session_state=$(echo "$CODE_URL" | grep -oP 'session_state=\K[^&]+') + + CODE_URL=$(echo "$CODE_URL" | sed -e 's/\&/\&/g') + ACCESS_TOKEN=$(curl -k -sSL --cookie "$COOKIE" --cookie-jar "$COOKIE" \ + --data-urlencode "code=$code" \ + --data-urlencode "session_state=$session_state" \ + --data-urlencode "state=$state" \ + "$CODE_URL" | jq -r ".backstageIdentity" | jq -r ".expires_in_timestamp = $(date -d '50 minutes' +%s)") + echo "$ACCESS_TOKEN" +} + + get_token() { - token_file=$TMP_DIR/token.json + service=$1 + if [[ ${service} == 'rhdh' ]]; then + token_file="$TMP_DIR/rhdh_token.json" + else + token_file="$TMP_DIR/keycloak_token.json" + fi while ! mkdir "$token_lockfile" 2>/dev/null; do sleep 0.5s done @@ -210,16 +272,27 @@ get_token() { log_token_err "Timeout getting keycloak token" exit 1 fi - keycloak_pass=$(oc -n "${RHDH_NAMESPACE}" get secret credential-example-sso -o template --template='{{.data.ADMIN_PASSWORD}}' | base64 -d) - if ! curl -s -k "$(keycloak_url)/auth/realms/master/protocol/openid-connect/token" -d username=admin -d "password=${keycloak_pass}" -d 'grant_type=password' -d 'client_id=admin-cli' | jq -r ".expires_in_timestamp = $(date -d '30 seconds' +%s)" >"$token_file"; then - log_token_err "Unable to get token, re-attempting" + if [[ ${service} == 'rhdh' ]]; then + [[ -f "$token_file" ]] && rm -rf "$token_file" && rm -rf "$TMP_DIR/cookie.jar" + if ! rhdh_token >"$token_file"; then + log_token_err "Unable to get token, re-attempting" + fi + else + keycloak_pass=$(oc -n "${RHDH_NAMESPACE}" get secret credential-example-sso -o template --template='{{.data.ADMIN_PASSWORD}}' | base64 -d) + if ! keycloak_token >"$token_file"; then + log_token_err "Unable to get token, re-attempting" + fi fi sleep 5s done - jq -rc '.access_token' "$token_file" + if [[ ${service} == 'rhdh' ]]; then + jq -rc '.token' "$token_file" + else + jq -rc '.access_token' "$token_file" + fi rm -rf "$token_lockfile" } -export -f keycloak_url backstage_url backstage_url get_token create_group create_user log_token log_token_info log_token_err +export -f keycloak_url backstage_url get_token keycloak_token rhdh_token create_group create_user log_token log_token_info log_token_err export kc_lockfile bs_lockfile token_lockfile diff --git a/ci-scripts/scalability/test-scalability.sh b/ci-scripts/scalability/test-scalability.sh index 124d8eb..ad0374a 100755 --- a/ci-scripts/scalability/test-scalability.sh +++ b/ci-scripts/scalability/test-scalability.sh @@ -18,6 +18,8 @@ GITHUB_USER="$(cat /usr/local/ci-secrets/backstage-performance/github.user)" GITHUB_REPO="$(cat /usr/local/ci-secrets/backstage-performance/github.repo)" QUAY_TOKEN="$(cat /usr/local/ci-secrets/backstage-performance/quay.token)" +source "${PROJ_ROOT}"ci-scripts/rhdh-setup/create_resource.sh + read -ra workers <<<"${SCALE_WORKERS:-5}" read -ra active_users_spawn_rate <<<"${SCALE_ACTIVE_USERS_SPAWN_RATES:-1:1 200:40}" @@ -40,6 +42,13 @@ echo "Number of scalability matrix iterations: $((${#workers[*]} * ${#active_use echo wait_for_indexing() { + COOKIE="$TMP_DIR/cookie.jar" + if [ "$INSTALL_METHOD" == "helm" ]; then + rhdh_route="${RHDH_HELM_RELEASE_NAME}-${RHDH_HELM_CHART}" + #rhdh_route="rhdh-redhat-developer-hub" + else + rhdh_route="backstage-developer-hub" + fi if [ "$WAIT_FOR_SEARCH_INDEX" == "true" ]; then rhdh_route="${RHDH_HELM_RELEASE_NAME}-${RHDH_HELM_CHART}" HOST="https://$(oc get routes "${rhdh_route}" -n "${RHDH_NAMESPACE:-rhdh-performance}" -o jsonpath='{.spec.host}')" @@ -52,7 +61,8 @@ wait_for_indexing() { echo "ERROR: Timeout waiting" exit 1 else - count="$(curl -sk "$HOST/api/search/query?term=&types%5B0%5D=software-catalog" | jq -rc '.numberOfResults')" + ACCESS_TOKEN=$(get_token "rhdh") + count="$(curl -sk "$HOST/api/search/query?term=&types%5B0%5D=software-catalog" --cookie "$COOKIE" --cookie-jar "$COOKIE" -H 'Authorization: Bearer '"$ACCESS_TOKEN" | jq -rc '.numberOfResults')" if [ "$count" != "null" ]; then finish=$(date +%s) echo "Search query returned non-empty set ($count) - indexing has finished in $((finish - start))s"