# Creating ServiceAccount for Backstage

## Create the ServiceAccount itself

```
$ kubectl create serviceaccount backstage-sa -n default
```

!!! Role did NOT work (probably a namespace issue), created a clusterRole + binding instead, see below

## Create the role

backstage-role.yaml:
```
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: backstage-role
rules:
- apiGroups: [""]
  resources: ["pods", "services"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch"]
```

```
$ kubectl apply -f backstage-role.yaml
```

## Bind role to service account

backstage-rolebinding.yaml:
```
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: backstage-rolebinding
  namespace: default
subjects:
- kind: ServiceAccount
  name: backstage-sa
  namespace: default
roleRef:
  kind: Role
  name: backstage-role
  apiGroup: rbac.authorization.k8s.io
```

```
$ kubectl apply -f backstage-rolebinding.yaml
```

## Create the ClusterRole

## Create the ClusterRoleBinding

## Create a secret token for the service account

backstage-sa-token-secret.yaml:
```
apiVersion: v1
kind: Secret
metadata:
  name: backstage-sa-token-secret
  annotations:
    kubernetes.io/service-account.name: backstage-sa
type: kubernetes.io/service-account-token
```

```
$ kubectl apply -f backstage-sa-token-secret.yaml -n default
```

## Link the secret with the service account

```
$ oc secrets link backstage-sa backstage-sa-token-secret -n default
```

## Get the service account token

Get the name of the secret (backstage-sa-secret):
```
$ kubectl get serviceaccount backstage-sa -n default -o jsonpath='{.secrets[0].name}'
```

get the secret value (the token):
```
kubectl get secret backstage-sa-secret -n default -o jsonpath='{.data.token}' | base64 --decode
```

## Update app-config

```
kubernetes:
  serviceLocatorMethod:
    type: 'multiTenant'
  clusterLocatorMethods:
    - type: 'config'
      clusters:
        - url: 'https://api.oc-med.wk.nt.local:6443'
          name: 'WK OKD Cluster'
          authProvider: 'serviceAccount'
          serviceAccountToken: '${KUBERNETES_SERVICE_ACCOUNT_TOKEN}'
          skipTLSVerify: true
```