Enable RBAC (#60)

Enable RBAC for 1.2 and 1.1.
Patch introduces a new ENV variable ENABLE_RBAC to enable RBAC,
by setting ENABLE_RBAC=true

ci-scripts/rhdh-setup/create_resource.sh

@@ -152,6 +152,7 @@ create_cmp() {
 create_group() {
   token=$(get_token)
   groupname="group${0}"
+  echo "    g, group:default/${groupname}, role:default/perf_admin" >> "$TMP_DIR/group-rbac.yaml"
   curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/groups" \
     -H 'Content-Type: application/json' \
     -H 'Authorization: Bearer '"$token" \

ci-scripts/rhdh-setup/deploy.sh

@@ -52,6 +52,7 @@ export API_COUNT="${API_COUNT:-1}"
 export COMPONENT_COUNT="${COMPONENT_COUNT:-1}"
 export KEYCLOAK_USER_PASS=${KEYCLOAK_USER_PASS:-$(mktemp -u XXXXXXXXXX)}
 export AUTH_PROVIDER="${AUTH_PROVIDER:-''}"
+export ENABLE_RBAC="${ENABLE_RBAC:-false}"
 
 export INSTALL_METHOD=helm
 
@@ -157,7 +158,11 @@ backstage_install() {
     if [ "${AUTH_PROVIDER}" == "keycloak" ]; then yq -i '. |= . + {"signInPage":"oauth2Proxy"}' "$TMP_DIR/app-config.yaml"; fi
     if [ "${AUTH_PROVIDER}" == "keycloak" ]; then yq -i '. |= . + {"auth":{"environment":"production","providers":{"oauth2Proxy":{}}}}' "$TMP_DIR/app-config.yaml"; else yq -i '. |= . + {"auth":{"providers":{"guest":{"dangerouslyAllowOutsideDevelopment":true}}}}' "$TMP_DIR/app-config.yaml"; fi
     until envsubst <template/backstage/secret-rhdh-pull-secret.yaml | $clin apply -f -; do $clin delete secret rhdh-pull-secret --ignore-not-found=true; done
+    if ${ENABLE_RBAC}; then yq -i '. |= . + load("template/backstage/app-rbac-patch.yaml")' "$TMP_DIR/app-config.yaml"; fi
     until $clin create configmap app-config-rhdh --from-file "app-config.rhdh.yaml=$TMP_DIR/app-config.yaml"; do $clin delete configmap app-config-rhdh --ignore-not-found=true; done
+    cp template/backstage/rbac-config.yaml "${TMP_DIR}"
+    cat "$TMP_DIR/group-rbac.yaml">> "$TMP_DIR/rbac-config.yaml"
+    $clin apply -f "$TMP_DIR/rbac-config.yaml" --namespace="${RHDH_NAMESPACE}"
     envsubst <template/backstage/plugin-secrets.yaml | $clin apply -f -
     if [ "$INSTALL_METHOD" == "helm" ]; then
         install_rhdh_with_helm
@@ -188,6 +193,14 @@ install_rhdh_with_helm() {
     echo "Installing RHDH Helm chart $RHDH_HELM_RELEASE_NAME from $chart_origin in $RHDH_NAMESPACE namespace"
     cp "$chart_values" "$TMP_DIR/chart-values.temp.yaml"
     if [ "${AUTH_PROVIDER}" == "keycloak" ]; then yq -i '.upstream.backstage |= . + load("template/backstage/helm/oauth2-container-patch.yaml")' "$TMP_DIR/chart-values.temp.yaml"; fi
+    if ${ENABLE_RBAC}; then
+        if helm search repo --devel -r rhdh --version 1.2-1 --fail-on-no-result ; then
+            yq -i '.upstream.backstage |= . + load("template/backstage/helm/extravolume-patch-1.2.yaml")' "$TMP_DIR/chart-values.temp.yaml";
+        else
+            yq -i '.upstream.backstage |= . + load("template/backstage/helm/extravolume-patch-1.1.yaml")' "$TMP_DIR/chart-values.temp.yaml";
+        fi
+        yq -i '.global.dynamic.plugins |= . + load("template/backstage/helm/rbac-plugin-patch.yaml")' "$TMP_DIR/chart-values.temp.yaml";
+    fi
     envsubst \
         '${OPENSHIFT_APP_DOMAIN} \
             ${RHDH_HELM_RELEASE_NAME} \

ci-scripts/rhdh-setup/template/backstage/app-rbac-patch.yaml

@@ -0,0 +1,8 @@
+---
+permission:
+  enabled: true
+  rbac:
+    policies-csv-file: './rbac/rbac-policy.csv'
+    admin:
+      users:
+        - name: user:default/test1

ci-scripts/rhdh-setup/template/backstage/helm/extravolume-patch-1.1.yaml

@@ -0,0 +1,53 @@
+---
+extraVolumeMounts:
+  - name: dynamic-plugins-root
+    mountPath: /opt/app-root/src/dynamic-plugins-root
+  - name: rbac-policy
+    mountPath: /opt/app-root/src/rbac
+extraVolumes:
+  - name: dynamic-plugins-root
+    ephemeral:
+      volumeClaimTemplate:
+        spec:
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              # -- Size of the volume that will contain the dynamic plugins. It should be large enough to contain all the plugins.
+              storage: 2Gi
+  - name: dynamic-plugins
+    configMap:
+      defaultMode: 420
+      name: dynamic-plugins
+      optional: true
+  - name: rbac-policy
+    configMap:
+      defaultMode: 420
+      name: rbac-policy
+  - name: dynamic-plugins-npmrc
+    secret:
+      defaultMode: 420
+      optional: true
+      secretName: dynamic-plugins-npmrc
+initContainers:
+  - name: install-dynamic-plugins
+    image: '{{ include "backstage.image" . }}'
+    command:
+      - ./install-dynamic-plugins.sh
+      - /dynamic-plugins-root
+    env:
+      - name: NPM_CONFIG_USERCONFIG
+        value: /opt/app-root/src/.npmrc.dynamic-plugins
+    imagePullPolicy: Always
+    volumeMounts:
+      - mountPath: /dynamic-plugins-root
+        name: dynamic-plugins-root
+      - mountPath: /opt/app-root/src/dynamic-plugins.yaml
+        name: dynamic-plugins
+        readOnly: true
+        subPath: dynamic-plugins.yaml
+      - mountPath: /opt/app-root/src/.npmrc.dynamic-plugins
+        name: dynamic-plugins-npmrc
+        readOnly: true
+        subPath: .npmrc
+    workingDir: /opt/app-root/src

ci-scripts/rhdh-setup/template/backstage/helm/extravolume-patch-1.2.yaml

@@ -0,0 +1,61 @@
+---
+extraVolumeMounts:
+  - name: dynamic-plugins-root
+    mountPath: /opt/app-root/src/dynamic-plugins-root
+  - name: diststatic
+    mountPath: /opt/app-root/src/packages/app/dist/static
+  - name: rbac-policy
+    mountPath: /opt/app-root/src/rbac
+extraVolumes:
+  - name: dynamic-plugins-root
+    ephemeral:
+      volumeClaimTemplate:
+        spec:
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              # -- Size of the volume that will contain the dynamic plugins. It should be large enough to contain all the plugins.
+              storage: 2Gi
+  - name: dynamic-plugins
+    configMap:
+      defaultMode: 420
+      name: dynamic-plugins
+      optional: true
+  - name: rbac-policy
+    configMap:
+      defaultMode: 420
+      name: rbac-policy
+  - name: dynamic-plugins-npmrc
+    secret:
+      defaultMode: 420
+      optional: true
+      secretName: dynamic-plugins-npmrc
+  - name: npmcacache
+    emptyDir: {}
+  - name: diststatic
+    emptyDir: {}
+initContainers:
+  - name: install-dynamic-plugins
+    image: '{{ include "backstage.image" . }}'
+    command:
+      - ./install-dynamic-plugins.sh
+      - /dynamic-plugins-root
+    env:
+      - name: NPM_CONFIG_USERCONFIG
+        value: /opt/app-root/src/.npmrc.dynamic-plugins
+    imagePullPolicy: Always
+    volumeMounts:
+      - mountPath: /dynamic-plugins-root
+        name: dynamic-plugins-root
+      - mountPath: /opt/app-root/src/dynamic-plugins.yaml
+        name: dynamic-plugins
+        readOnly: true
+        subPath: dynamic-plugins.yaml
+      - mountPath: /opt/app-root/src/.npmrc.dynamic-plugins
+        name: dynamic-plugins-npmrc
+        readOnly: true
+        subPath: .npmrc
+      - mountPath: /opt/app-root/src/.npm/_cacache
+        name: npmcacache
+    workingDir: /opt/app-root/src

ci-scripts/rhdh-setup/template/backstage/helm/rbac-plugin-patch.yaml

@@ -0,0 +1,3 @@
+---
+- package: ./dynamic-plugins/dist/janus-idp-backstage-plugin-rbac
+  disabled: false

ci-scripts/rhdh-setup/template/backstage/rbac-config.yaml

@@ -0,0 +1,11 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: rbac-policy
+data:
+  rbac-policy.csv: |
+    p, role:default/perf_admin, kubernetes.proxy, use, allow
+    p, role:default/perf_admin, catalog-entity, read, allow
+    p, role:default/perf_admin, catalog.entity.create, create, allow
+    p, role:default/perf_admin, catalog.location.create, create, allow
+    p, role:default/perf_admin, catalog.location.read, read, allow