keycloak user authentication

This patch enabled user authentication using keycloak.

ci-scripts/rhdh-setup/create_resource.sh

@@ -141,7 +141,7 @@ create_user() {
   curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/users" \
     -H 'Content-Type: application/json' \
     -H 'Authorization: Bearer '"$token" \
-    --data-raw '{"firstName":"'"${username}"'","lastName":"tester", "email":"'"${username}"'@test.com", "enabled":"true", "username":"'"${username}"'","groups":["/'"${groupname}"'"]}' |& tee -a "$TMP_DIR/create_user.log"
+    --data-raw '{"firstName":"'"${username}"'","lastName":"tester", "email":"'"${username}"'@test.com","emailVerified":"true", "enabled":"true", "username":"'"${username}"'","groups":["/'"${groupname}"'"],"credentials":[{"type":"password","value":"123456","temporary":false}]}' |& tee -a "$TMP_DIR/create_user.log"
   echo "[INFO][$(date --utc -Ins)] User $username ($groupname) created" >>"$TMP_DIR/create_user.log"
 }
 

ci-scripts/rhdh-setup/template/backstage/app-config.yaml

@@ -4,6 +4,11 @@ integrations:
   github:
     - host: github.com
       #token: ${GITHUB_TOKEN}
+auth:
+  environment: production
+  providers:
+    oauth2Proxy: {}
+signInPage: oauth2Proxy
 catalog:
   processingInterval: { minutes: 5 }
   providers:

ci-scripts/rhdh-setup/template/backstage/chart-values.yaml

@@ -84,6 +84,37 @@ upstream:
         value: "warn"
       - name: NODE_TLS_REJECT_UNAUTHORIZED
         value: "0"
+    extraContainers:
+      - name: oauth2-proxy
+        env:
+          - name: OAUTH2_PROXY_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                key: CLIENT_ID
+                name: keycloak-client-secret-backstage
+          - name: OAUTH2_PROXY_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                key: CLIENT_SECRET
+                name: keycloak-client-secret-backstage
+          - name: OAUTH2_PROXY_COOKIE_SECRET
+            value: 'ZUNoRTFGZE1BdmVtR3hCWkY5ZFAxZklsZ2tlL2pmTmg='
+          - name: OAUTH2_PROXY_OIDC_ISSUER_URL
+            value: 'https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/auth/realms/backstage'
+          - name: OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY
+            value: 'true'
+        ports:
+          - name: oauth2-proxy
+            containerPort: 4180
+            protocol: TCP
+        imagePullPolicy: IfNotPresent
+        image: 'quay.io/oauth2-proxy/oauth2-proxy:latest'
+        args:
+          - '--provider=oidc'
+          - '--email-domain=*'
+          - '--upstream=http://localhost:7007'
+          - '--http-address=0.0.0.0:4180'
+          - '--skip-provider-button'
     installDir: /app
     replicas: ${RHDH_DEPLOYMENT_REPLICAS}
     revisionHistoryLimit: 10
@@ -157,9 +188,9 @@ upstream:
   service:
     externalTrafficPolicy: Cluster
     ports:
-      backend: 7007
+      backend: 4180
       name: http-backend
-      targetPort: backend
+      targetPort: oauth2-proxy
     sessionAffinity: None
     type: ClusterIP
   serviceAccount: