fix(RHIDP-3671): Reduce user and group name sizes to support bigger RBAC policies

ci-scripts/rhdh-setup/create_resource.sh

@@ -168,7 +168,7 @@ create_group() {
   attempt=1
   while ((attempt <= max_attempts)); do
     token=$(get_token)
-    groupname="group${0}"
+    groupname="g${0}"
     response="$(curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/groups" \
       -H 'Content-Type: application/json' \
       -H 'Authorization: Bearer '"$token" \
@@ -189,7 +189,7 @@ create_group() {
 create_groups() {
   log_info "Creating Groups in Keycloak"
   for i in $(seq 1 "$GROUP_COUNT"); do
-    echo "    g, group:default/group${i}, role:default/perf_admin" >>"$TMP_DIR/group-rbac.yaml"
+    echo "    g, group:default/g${i}, role:default/a" >>"$TMP_DIR/group-rbac.yaml"
   done
   sleep 5
   seq 1 "${GROUP_COUNT}" | xargs -n1 -P"${POPULATION_CONCURRENCY}" bash -c 'create_group'
@@ -202,8 +202,8 @@ create_user() {
     token=$(get_token)
     grp=$(echo "${0}%${GROUP_COUNT}" | bc)
     [[ $grp -eq 0 ]] && grp=${GROUP_COUNT}
-    username="test${0}"
-    groupname="group${grp}"
+    username="t${0}"
+    groupname="g${grp}"
     response="$(curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/users" \
       -H 'Content-Type: application/json' \
       -H 'Authorization: Bearer '"$token" \
@@ -264,7 +264,7 @@ keycloak_token() {
 rhdh_token() {
   REDIRECT_URL="$(backstage_url)/oauth2/callback"
   REFRESH_URL="$(backstage_url)/api/auth/oauth2Proxy/refresh"
-  USERNAME="test1"
+  USERNAME="guru"
   PASSWORD=$(oc -n "${RHDH_NAMESPACE}" get secret perf-test-secrets -o template --template='{{.data.keycloak_user_pass}}' | base64 -d)
   REALM="backstage"
   CLIENTID="backstage"

ci-scripts/rhdh-setup/deploy.sh

@@ -186,7 +186,8 @@ keycloak_install() {
         fi
     fi
     envsubst <template/keycloak/keycloakClient.yaml | $clin apply -f -
-    envsubst <template/keycloak/keycloakUser.yaml | $clin apply -f -
+    # shellcheck disable=SC2016
+    envsubst '${KEYCLOAK_USER_PASS}' <template/keycloak/keycloakUser.yaml | $clin apply -f -
 }
 
 create_users_groups() {
@@ -235,7 +236,7 @@ backstage_install() {
     if ${ENABLE_RBAC}; then
         cp template/backstage/rbac-config.yaml "${TMP_DIR}"
         cat "$TMP_DIR/group-rbac.yaml" >>"$TMP_DIR/rbac-config.yaml"
-        $clin apply -f "$TMP_DIR/rbac-config.yaml" --namespace="${RHDH_NAMESPACE}"
+        until $clin create -f "$TMP_DIR/rbac-config.yaml"; do $clin delete configmap rbac-policy --ignore-not-found=true; done
     fi
     envsubst <template/backstage/plugin-secrets.yaml | $clin apply -f -
     if [ "$INSTALL_METHOD" == "helm" ]; then

ci-scripts/rhdh-setup/template/backstage/app-rbac-patch.yaml

@@ -2,7 +2,7 @@
 permission:
   enabled: true
   rbac:
-    policies-csv-file: './rbac/rbac-policy.csv'
+    policies-csv-file: "./rbac/rbac-policy.csv"
     admin:
       users:
-        - name: user:default/test1
+        - name: user:default/guru

ci-scripts/rhdh-setup/template/backstage/helm/app-rbac-patch.yaml

@@ -5,4 +5,4 @@ permission:
     policies-csv-file: "./rbac/rbac-policy.csv"
     admin:
       users:
-        - name: user:default/test1
+        - name: user:default/guru

ci-scripts/rhdh-setup/template/backstage/olm/app-rbac-patch.yaml

@@ -5,4 +5,4 @@ permission:
     policies-csv-file: "./rbac-policy.csv"
     admin:
       users:
-        - name: user:default/test1
+        - name: user:default/guru

ci-scripts/rhdh-setup/template/backstage/rbac-config.yaml

@@ -4,9 +4,10 @@ metadata:
   name: rbac-policy
 data:
   rbac-policy.csv: |
-    p, role:default/perf_admin, kubernetes.proxy, use, allow
-    p, role:default/perf_admin, catalog-entity, read, allow
-    p, role:default/perf_admin, catalog.entity.create, create, allow
-    p, role:default/perf_admin, catalog.location.create, create, allow
-    p, role:default/perf_admin, catalog.location.read, read, allow
-    g, user:development/guest, role:default/perf_admin
+    p, role:default/a, kubernetes.proxy, use, allow
+    p, role:default/a, catalog-entity, read, allow
+    p, role:default/a, catalog.entity.create, create, allow
+    p, role:default/a, catalog.location.create, create, allow
+    p, role:default/a, catalog.location.read, read, allow
+    g, user:default/guru, role:default/a
+    g, user:development/guest, role:default/a

ci-scripts/rhdh-setup/template/component/api.template

@@ -7,6 +7,6 @@ metadata:
 spec:
   type: openapi
   lifecycle: production
-  owner: group${grp_indx}
+  owner: g${grp_indx}
   definition:
     $text: https://github.com/APIs-guru/openapi-directory/blob/main/APIs/archive.org/wayback/1.0.0/openapi.yaml

ci-scripts/rhdh-setup/template/component/component.template

@@ -7,5 +7,5 @@ metadata:
 spec:
   type: library
   lifecycle: experimental
-  owner: group${grp_indx}
+  owner: g${grp_indx}
   system: audio-playback

ci-scripts/rhdh-setup/template/keycloak/keycloakUser.yaml

@@ -1,17 +1,21 @@
 apiVersion: keycloak.org/v1alpha1
 kind: KeycloakUser
 metadata:
-  name: demo
+  name: guru
   labels:
     app: sso
 spec:
   realmSelector:
     matchLabels:
       app: sso
   user:
-    username: demo
-    firstName: John
-    lastName: Doe
-    email: demo@example.com
+    username: guru
+    firstName: Guru
+    lastName: RHDH Admin
+    email: guru@test.com
     enabled: true
-    emailVerified: false
+    emailVerified: true
+    temporary: false
+    credentials:
+      - type: password
+        value: ${KEYCLOAK_USER_PASS}