feat: Backstage and oauth2 initial add (#29)

* feat: Backstage and oauth2 initial add

* feat: backstage configuration templating

* fix: backstage auth section

* create cookie secret for backstage oauth2

* feat: tf upgrade + set tf version via templating

---------

Co-authored-by: VADIM TSARFIN <[email protected]>
Co-authored-by: Alex Ulyanov <[email protected]>
Co-authored-by: Serg Shalavin <[email protected]>

platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/170-backstage.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: backstage-components
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '170'
+spec:
+  project: core
+  source:
+    repoURL: <GIT_REPOSITORY_GIT_URL>
+    path: gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/backstage
+    targetRevision: HEAD
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: backstage
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 10
+      backoff:
+        duration: 30s
+        maxDuration: 15m0s
+        factor: 2

platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/55-oauth2-proxy.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: oauth2-proxy
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '55'
+spec:
+  project: core
+  source:
+    repoURL: <GIT_REPOSITORY_GIT_URL>
+    path: gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/oauth2-proxy
+    targetRevision: HEAD
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: oauth2-proxy
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 10
+      backoff:
+        duration: 30s
+        maxDuration: 15m0s
+        factor: 2

platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/backstage/application.yaml

@@ -0,0 +1,163 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: backstage
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "170"
+spec:
+  project: core
+  source:
+    repoURL: https://backstage.github.io/charts
+    chart: backstage
+    targetRevision: 1.6.0
+    helm:
+      values: |-
+        global:
+          imageRegistry: ""
+          imagePullSecrets: []
+        kubeVersion: ""
+        nameOverride: ""
+        fullnameOverride: ""
+        clusterDomain: cluster.local
+        commonLabels: {}
+        commonAnnotations: {}
+        extraDeploy: []
+        diagnosticMode:
+          enabled: false
+          command:
+            - sleep
+          args:
+            - infinity
+        ingress:
+          enabled: true
+          className: "nginx"
+          annotations: 
+            cert-manager.io/cluster-issuer: "letsencrypt-prod"
+            nginx.ingress.kubernetes.io/enable-cors: "true"
+            nginx.ingress.kubernetes.io/cors-allow-origin: "https://<PORTAL_INGRESS_URL>"
+            nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
+            nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
+          host: "<PORTAL_INGRESS_URL>"
+          tls:
+            enabled: true
+            secretName: "backstage-tls"
+        backstage:
+          replicas: 1
+          revisionHistoryLimit: 10
+          image:
+            registry: ghcr.io
+            repository: backstage/backstage
+            tag: latest
+            pullPolicy: Always
+            pullSecrets: []
+            debug: false
+          containerPorts:
+            backend: 7007
+          command: ["node", "packages/backend"]
+          args: []
+          extraAppConfig: []
+          extraContainers: []
+          extraEnvVars: []
+          extraEnvVarsSecrets: []
+          extraVolumeMounts: []
+          extraVolumes: []
+          initContainers: []
+          installDir: /app
+          resources: {}
+          readinessProbe: {}
+          livenessProbe: {}
+          startupProbe: {}
+          podSecurityContext: {}
+          containerSecurityContext: {}
+          appConfig:
+            app:
+              baseUrl: https://<PORTAL_INGRESS_URL>
+            organization:
+              name: <GIT_ORGANIZATION_NAME>
+            backend:
+              baseUrl: https://<PORTAL_INGRESS_URL>
+              listen:
+                port: 7007
+              cors:
+                origin: https://<PORTAL_INGRESS_URL>
+                methods: [GET, HEAD, PATCH, POST, PUT, DELETE]
+                credentials: true
+              database:
+                client: pg
+                connection:
+                  host: ${BACKSTAGE_POSTGRESQL_SERVICE_HOST}
+                  port: ${BACKSTAGE_POSTGRESQL_SERVICE_PORT}
+                  user: ${POSTGRES_USER}
+                  password: ${POSTGRES_PASSWORD}  
+            techdocs:
+              builder: 'local'
+              publisher:
+                type: 'local'
+              generator:
+                runIn: local
+          nodeSelector: {}
+          tolerations: []
+          podAnnotations: {}
+          podLabels: {}
+          annotations: {}
+        service:
+          type: ClusterIP
+          ports:
+            backend: 7007
+            name: http-backend
+            targetPort: backend
+          nodePorts:
+            backend: ""
+          sessionAffinity: None
+          #
+          clusterIP: ""
+          #
+          loadBalancerIP: ""
+          #
+          loadBalancerSourceRanges: []
+          #
+          externalTrafficPolicy: Cluster
+          annotations: {}
+          extraPorts: []
+        networkPolicy:
+          enabled: false
+          ingressRules:
+            namespaceSelector: {}
+            podSelector: {}
+            customRules: []
+          egressRules:
+            denyConnectionsToExternal: false
+            customRules: []
+        postgresql:
+          enabled: true
+          persistence:
+            enabled: false
+          auth:
+            username: bn_backstage
+          architecture: standalone
+          storage:
+            resourcePolicy: ""
+        serviceAccount:
+          create: true
+          name: ""
+          labels: {}
+          annotations: {}
+          automountServiceAccountToken: true
+        metrics:
+          serviceMonitor:
+            enabled: false
+            annotations: {}
+            labels: {}
+            interval: null
+            path: /metrics
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: backstage
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/oauth2-proxy/externalsecrets.yaml

@@ -0,0 +1,27 @@
+apiVersion: "external-secrets.io/v1beta1"
+kind: ExternalSecret
+metadata:
+  name: oauth2-proxy-secrets
+  namespace: oauth2-proxy
+spec:
+  target:
+    name: oauth2-proxy-secrets
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  data:
+    - remoteRef:
+        key: oidc/oauth2_backstage
+        property: client_id
+      secretKey: client-id
+    - remoteRef:
+        key: oidc/oauth2_backstage
+        property: client_secret
+      secretKey: client-secret
+    - remoteRef:
+        key: oauth2/cookie
+        property: backstage_cookie_secret
+      secretKey: cookie-secret
+
+

platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/oauth2-proxy/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: oauth2-proxy
+
+resources:
+- oauth2-proxy.yaml
+- oauth2-proxy-ing.yaml
+- externalsecrets.yaml
+
+generatorOptions:
+  disableNameSuffixHash: true

platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/oauth2-proxy/oauth2-proxy-ing.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  name: oauth2-proxy
+  namespace: oauth2-proxy
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: <PORTAL_INGRESS_URL>
+    http:
+      paths:
+      - path: /oauth2
+        pathType: Prefix
+        backend:
+          service:
+            name: oauth2-proxy
+            port:
+              number: 4180
+  tls:
+  - hosts:
+    - <PORTAL_INGRESS_URL>
+    secretName: backstage-tls

platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/oauth2-proxy/oauth2-proxy.yaml

@@ -0,0 +1,64 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    k8s-app: oauth2-proxy
+  name: oauth2-proxy
+  namespace: oauth2-proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      k8s-app: oauth2-proxy
+  template:
+    metadata:
+      labels:
+        k8s-app: oauth2-proxy
+    spec:
+      containers:
+      - args:
+        - --provider=oidc
+        - --email-domain=*
+        - --upstream="https://<PORTAL_OAUTH_CALLBACK_URL>"
+        - --http-address=0.0.0.0:4180
+        - --oidc-issuer-url=https://<OIDC_PROVIDER_URL>
+        env:
+        - name: OAUTH2_PROXY_CLIENT_ID
+          valueFrom:
+              secretKeyRef:
+                name: oauth2-proxy-secrets
+                key: client-id
+        - name: OAUTH2_PROXY_CLIENT_SECRET
+          valueFrom:
+              secretKeyRef:
+                name: oauth2-proxy-secrets
+                key: client-secret
+        - name: OAUTH2_PROXY_COOKIE_SECRET
+          valueFrom:
+              secretKeyRef:
+                name: oauth2-proxy-secrets
+                key: cookie-secret
+        image: quay.io/oauth2-proxy/oauth2-proxy:latest
+        imagePullPolicy: Always
+        name: oauth2-proxy
+        ports:
+        - containerPort: 4180
+          protocol: TCP
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    k8s-app: oauth2-proxy
+  name: oauth2-proxy
+  namespace: oauth2-proxy
+spec:
+  ports:
+  - name: http
+    port: 4180
+    protocol: TCP
+    targetPort: 4180
+  selector:
+    k8s-app: oauth2-proxy

platform/terraform/modules/secrets_vault/oidc-clients.tf

@@ -76,4 +76,20 @@ module "sonarqube" {
     "https://<CODE_QUALITY_INGRESS_URL>/oauth2/callback/oidc",
   ]
   secret_mount_path = "secret"
-}
+}
+
+module "oauth2_backstage" {
+  source = "./oidc-client"
+
+  depends_on = [
+    vault_identity_oidc_provider.cgdevx
+  ]
+
+  app_name               = "oauth2_backstage"
+  identity_group_ids     = [vault_identity_group.admins.id, vault_identity_group.developers.id]
+  oidc_provider_key_name = vault_identity_oidc_key.key.name
+  redirect_uris = [
+    "https://<PORTAL_INGRESS_URL>/oauth2/callback",
+  ]
+  secret_mount_path = "secret"
+}

platform/terraform/modules/secrets_vault/secrets.tf

@@ -202,3 +202,20 @@ resource "vault_generic_secret" "sonarqube_admin_secret" {
 
   depends_on = [vault_mount.secret]
 }
+
+resource "random_password" "oauth2_backstage_cookie_password" {
+  length           = 32
+  override_special = "-_"
+}
+
+resource "vault_generic_secret" "oauth2_cookie_secret" {
+  path = "secret/oauth2/cookie"
+
+  data_json = jsonencode(
+    {
+      backstage_cookie_secret        = random_password.oauth2_backstage_cookie_password.result,
+    }
+  )
+
+  depends_on = [vault_mount.secret]
+}