feat(KubernetesPlugins): make k8s frontend + backend plugins work with our cluster

sreez-showcase/k8s/backstage-clusterrole.yaml

@@ -0,0 +1,39 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: backstage-clusterrole
+rules:
+  - apiGroups:
+      - '*'
+    resources:
+      - pods
+      - configmaps
+      - services
+      - deployments
+      - replicasets
+      - horizontalpodautoscalers
+      - ingresses
+      - statefulsets
+      - limitranges
+      - resourcequotas
+      - daemonsets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - batch
+    resources:
+      - jobs
+      - cronjobs
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - metrics.k8s.io
+    resources:
+      - pods
+    verbs:
+      - get
+      - list

sreez-showcase/k8s/backstage-clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: read-all-clusterrole-binding
+subjects:
+- kind: ServiceAccount
+  name: backstage-sa
+  namespace: default  # Update the namespace if needed
+roleRef:
+  kind: ClusterRole
+  name: backstage-clusterrole
+  apiGroup: rbac.authorization.k8s.io

sreez-showcase/k8s/backstage-role.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: default
+  name: backstage-role
+rules:
+- apiGroups: [""]
+  resources: ["*"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["apps", "batch", "extensions", "networking.k8s.io", "rbac.authorization.k8s.io", "storage.k8s.io"]
+  resources: ["*"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["autoscaling"]
+  resources: ["horizontalpodautoscalers"]
+  verbs: ["get", "list", "watch"]

sreez-showcase/k8s/backstage-rolebinding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: backstage-rolebinding
+  namespace: default
+subjects:
+- kind: ServiceAccount
+  name: backstage-sa
+  namespace: default
+roleRef:
+  kind: Role
+  name: backstage-role
+  apiGroup: rbac.authorization.k8s.io

sreez-showcase/k8s/backstage-sa-token-secret.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: backstage-sa-token-secret
+  annotations:
+    kubernetes.io/service-account.name: backstage-sa
+type: kubernetes.io/service-account-token

sreez-showcase/k8s/devspaces-github-secret.yaml

@@ -0,0 +1,15 @@
+kind: Secret
+apiVersion: v1
+metadata:
+  name: devspaces-github-oauth-config
+  namespace: sreez
+  labels:
+    app.kubernetes.io/part-of: che.eclipse.org
+    app.kubernetes.io/component: oauth-scm-configuration
+  annotations:
+    che.eclipse.org/oauth-scm-server: github
+    che.eclipse.org/scm-server-endpoint: https://github.com
+type: Opaque
+stringData:
+  id: Ov23li2sU4W3iLzocZWP
+  secret: 8e041432352bf0e5f2bbb4bff25c3dea9b391feb

sreez-showcase/k8s/k8s-plugin-config.md

@@ -0,0 +1,109 @@
+# Creating ServiceAccount for Backstage
+
+## Create the ServiceAccount itself
+
+```
+$ kubectl create serviceaccount backstage-sa -n default
+```
+
+!!! Role did NOT work (probably a namespace issue), created a clusterRole + binding instead, see below
+
+## Create the role
+
+backstage-role.yaml:
+```
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: default
+  name: backstage-role
+rules:
+- apiGroups: [""]
+  resources: ["pods", "services"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["apps"]
+  resources: ["deployments"]
+  verbs: ["get", "list", "watch"]
+```
+
+```
+$ kubectl apply -f backstage-role.yaml
+```
+
+## Bind role to service account
+
+backstage-rolebinding.yaml:
+```
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: backstage-rolebinding
+  namespace: default
+subjects:
+- kind: ServiceAccount
+  name: backstage-sa
+  namespace: default
+roleRef:
+  kind: Role
+  name: backstage-role
+  apiGroup: rbac.authorization.k8s.io
+```
+
+```
+$ kubectl apply -f backstage-rolebinding.yaml
+```
+
+## Create the ClusterRole
+
+## Create the ClusterRoleBinding
+
+## Create a secret token for the service account
+
+backstage-sa-token-secret.yaml:
+```
+apiVersion: v1
+kind: Secret
+metadata:
+  name: backstage-sa-token-secret
+  annotations:
+    kubernetes.io/service-account.name: backstage-sa
+type: kubernetes.io/service-account-token
+```
+
+```
+$ kubectl apply -f backstage-sa-token-secret.yaml -n default
+```
+
+## Link the secret with the service account
+
+```
+$ oc secrets link backstage-sa backstage-sa-token-secret -n default
+```
+
+## Get the service account token
+
+Get the name of the secret (backstage-sa-secret):
+```
+$ kubectl get serviceaccount backstage-sa -n default -o jsonpath='{.secrets[0].name}'
+```
+
+get the secret value (the token):
+```
+kubectl get secret backstage-sa-secret -n default -o jsonpath='{.data.token}' | base64 --decode
+```
+
+## Update app-config
+
+```
+kubernetes:
+  serviceLocatorMethod:
+    type: 'multiTenant'
+  clusterLocatorMethods:
+    - type: 'config'
+      clusters:
+        - url: 'https://api.oc-med.wk.nt.local:6443'
+          name: 'WK OKD Cluster'
+          authProvider: 'serviceAccount'
+          serviceAccountToken: '${KUBERNETES_SERVICE_ACCOUNT_TOKEN}'
+          skipTLSVerify: true
+```

sreez-showcase/k8s/okd-github-auth.md

@@ -0,0 +1,14 @@
+create github app
+  -> authorization callback must contain the IDP name as defined in the OAuth resource
+
+create github secret (okd-github-secret.yaml)
+create github OAuth resource (okd-oauth-github)
+  -> make sure secret name matches and idp name matches auth callback from github app
+
+```
+$ oc get user
+$ oc adm policy add-role-to-user admin <github-username> -n <project-name>
+
+```
+
+

sreez-showcase/k8s/okd-github-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: okd-github-secret
+  namespace: openshift-config
+type: Opaque
+stringData:
+  clientSecret: 41dd1d62609725a5a0ecbdccb1fa9805ad55dc93

sreez-showcase/k8s/okd-oauth-github.yaml

@@ -0,0 +1,16 @@
+apiVersion: config.openshift.io/v1
+kind: OAuth
+metadata:
+  name: cluster
+spec:
+  identityProviders:
+  - name: githubidp
+    mappingMethod: claim
+    type: GitHub
+    github:
+      clientID: Ov23liRSsXqOfUPVerIx
+      clientSecret:
+        name: okd-github-secret
+      organizations:
+        - Kheops-org
+