Skip to content

Commit

Permalink
keycloak user authentication
Browse files Browse the repository at this point in the history
This patch enabled user authentication using keycloak.
  • Loading branch information
yogananth-subramanian committed Feb 12, 2024
1 parent 365b93e commit f40588e
Show file tree
Hide file tree
Showing 7 changed files with 85 additions and 5 deletions.
1 change: 1 addition & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ export SCENARIO ?= baseline-test
# Used to set --host option of locust CLI (base URL to load test). See https://docs.locust.io/en/stable/configuration.html#command-line-options for details
export HOST ?= http://localhost

export KEYCLOAK_USER_PASS ?= $(shell mktemp -u XXXXXXXXXX)
# Used to set --users option of locust CLI (Peak number of concurrent Locust users.). See https://docs.locust.io/en/stable/configuration.html#command-line-options for details
export USERS ?= 100

Expand Down
2 changes: 1 addition & 1 deletion ci-scripts/rhdh-setup/create_resource.sh
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,7 @@ create_user() {
curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/users" \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer '"$token" \
--data-raw '{"firstName":"'"${username}"'","lastName":"tester", "email":"'"${username}"'@test.com", "enabled":"true", "username":"'"${username}"'","groups":["/'"${groupname}"'"]}' |& tee -a "$TMP_DIR/create_user.log"
--data-raw '{"firstName":"'"${username}"'","lastName":"tester", "email":"'"${username}"'@test.com","emailVerified":"true", "enabled":"true", "username":"'"${username}"'","groups":["/'"${groupname}"'"],"credentials":[{"type":"password","value":"'"${KEYCLOAK_USER_PASS}"'","temporary":false}]}' |& tee -a "$TMP_DIR/create_user.log"
echo "[INFO][$(date --utc -Ins)] User $username ($groupname) created" >>"$TMP_DIR/create_user.log"
}

Expand Down
6 changes: 6 additions & 0 deletions ci-scripts/rhdh-setup/deploy.sh
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@ export BACKSTAGE_USER_COUNT="${BACKSTAGE_USER_COUNT:-1}"
export GROUP_COUNT="${GROUP_COUNT:-1}"
export API_COUNT="${API_COUNT:-1}"
export COMPONENT_COUNT="${COMPONENT_COUNT:-1}"
export KEYCLOAK_USER_PASS=${KEYCLOAK_USER_PASS:-$(mktemp -u XXXXXXXXXX)}


TMP_DIR=$(readlink -m "${TMP_DIR:-.tmp}")
mkdir -p "${TMP_DIR}"
Expand Down Expand Up @@ -86,6 +88,7 @@ keycloak_install() {
export KEYCLOAK_CLIENT_SECRET
KEYCLOAK_CLIENT_SECRET=$(mktemp -u XXXXXXXXXX)
envsubst <template/keycloak/keycloak-op.yaml | $clin apply -f -
envsubst <template/backstage/perf-test-secrets.yaml | $clin apply -f -
grep -m 1 "rhsso-operator" <($clin get pods -w)
wait_to_start deployment rhsso-operator 300 300
envsubst <template/keycloak/keycloak.yaml | $clin apply -f -
Expand All @@ -97,6 +100,8 @@ keycloak_install() {

# shellcheck disable=SC2016,SC1004
backstage_install() {
COOKIE_SECRET=$(dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 | tr -d -- '\n' | tr -- '+/' '-_'; echo)
export COOKIE_SECRET
until envsubst <template/backstage/secret-rhdh-pull-secret.yaml | $clin apply -f -; do $clin delete secret rhdh-pull-secret; done
until $clin create configmap app-config-rhdh --from-file "app-config-rhdh.yaml=template/backstage/app-config.yaml"; do $clin delete configmap app-config-rhdh; done
envsubst <template/backstage/plugin-secrets.yaml | $clin apply -f -
Expand Down Expand Up @@ -125,6 +130,7 @@ backstage_install() {
${RHDH_IMAGE_REPO} \
${RHDH_IMAGE_TAG} \
${RHDH_NAMESPACE} \
${COOKIE_SECRET} \
' <"$chart_values" >"$TMP_DIR/chart-values.yaml"
if [ -n "${RHDH_RESOURCES_CPU_REQUESTS}" ]; then yq -i '.upstream.backstage.resources.requests.cpu = "'"${RHDH_RESOURCES_CPU_REQUESTS}"'"' "$TMP_DIR/chart-values.yaml"; fi
if [ -n "${RHDH_RESOURCES_CPU_LIMITS}" ]; then yq -i '.upstream.backstage.resources.limits.cpu = "'"${RHDH_RESOURCES_CPU_LIMITS}"'"' "$TMP_DIR/chart-values.yaml"; fi
Expand Down
5 changes: 5 additions & 0 deletions ci-scripts/rhdh-setup/template/backstage/app-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@ integrations:
github:
- host: github.com
#token: ${GITHUB_TOKEN}
auth:
environment: production
providers:
oauth2Proxy: {}
signInPage: oauth2Proxy
catalog:
processingInterval: { minutes: 5 }
providers:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,37 @@ upstream:
value: "warn"
- name: NODE_TLS_REJECT_UNAUTHORIZED
value: "0"
extraContainers:
- name: oauth2-proxy
env:
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
key: CLIENT_ID
name: keycloak-client-secret-backstage
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: CLIENT_SECRET
name: keycloak-client-secret-backstage
- name: OAUTH2_PROXY_COOKIE_SECRET
value: '${COOKIE_SECRET}'
- name: OAUTH2_PROXY_OIDC_ISSUER_URL
value: 'https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/auth/realms/backstage'
- name: OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY
value: 'true'
ports:
- name: oauth2-proxy
containerPort: 4180
protocol: TCP
imagePullPolicy: IfNotPresent
image: 'quay.io/oauth2-proxy/oauth2-proxy:latest'
args:
- '--provider=oidc'
- '--email-domain=*'
- '--upstream=http://localhost:7007'
- '--http-address=0.0.0.0:4180'
- '--skip-provider-button'
image:
debug: false
pullPolicy: Always
Expand Down Expand Up @@ -163,9 +194,9 @@ upstream:
service:
externalTrafficPolicy: Cluster
ports:
backend: 7007
backend: 4180
name: http-backend
targetPort: backend
targetPort: oauth2-proxy
sessionAffinity: None
type: ClusterIP
serviceAccount:
Expand Down
35 changes: 33 additions & 2 deletions ci-scripts/rhdh-setup/template/backstage/chart-values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,37 @@ upstream:
value: "warn"
- name: NODE_TLS_REJECT_UNAUTHORIZED
value: "0"
extraContainers:
- name: oauth2-proxy
env:
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
key: CLIENT_ID
name: keycloak-client-secret-backstage
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: CLIENT_SECRET
name: keycloak-client-secret-backstage
- name: OAUTH2_PROXY_COOKIE_SECRET
value: '${COOKIE_SECRET}'
- name: OAUTH2_PROXY_OIDC_ISSUER_URL
value: 'https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/auth/realms/backstage'
- name: OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY
value: 'true'
ports:
- name: oauth2-proxy
containerPort: 4180
protocol: TCP
imagePullPolicy: IfNotPresent
image: 'quay.io/oauth2-proxy/oauth2-proxy:latest'
args:
- '--provider=oidc'
- '--email-domain=*'
- '--upstream=http://localhost:7007'
- '--http-address=0.0.0.0:4180'
- '--skip-provider-button'
installDir: /app
replicas: ${RHDH_DEPLOYMENT_REPLICAS}
revisionHistoryLimit: 10
Expand Down Expand Up @@ -157,9 +188,9 @@ upstream:
service:
externalTrafficPolicy: Cluster
ports:
backend: 7007
backend: 4180
name: http-backend
targetPort: backend
targetPort: oauth2-proxy
sessionAffinity: None
type: ClusterIP
serviceAccount:
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: v1
kind: Secret
stringData:
keycloak-user-pass: ${KEYCLOAK_USER_PASS}
metadata:
name: perf-test-secrets

0 comments on commit f40588e

Please sign in to comment.