Layered operator

Makefile

@@ -131,6 +131,12 @@ test: manifests generate fmt vet envtest ## Run tests. We need LOCALBIN=$(LOCALB
 	mkdir -p $(LOCALBIN)/default-config && cp config/manager/$(CONF_DIR)/* $(LOCALBIN)/default-config
 	LOCALBIN=$(LOCALBIN) KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test $(PKGS) -coverprofile cover.out
 
+.PHONY: integration-test
+integration-test: ginkgo manifests generate fmt vet envtest ## Run integration_tests. We need LOCALBIN=$(LOCALBIN) to get correct default-config path
+	mkdir -p $(LOCALBIN)/default-config && cp config/manager/$(CONF_DIR)/* $(LOCALBIN)/default-config
+	LOCALBIN=$(LOCALBIN) KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" $(GINKGO) -v -r integration_tests
+
+
 ##@ Build
 
 .PHONY: build
@@ -195,6 +201,12 @@ deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in
 	cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
 	$(KUSTOMIZE) build config/default | kubectl apply -f -
 
+.PHONY: deployment-manifest
+deployment-manifest: manifests kustomize ## Generate manifest to deploy operator.
+	cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
+	$(KUSTOMIZE) build config/default > rhdh-operator-${VERSION}.yaml
+	@echo "Generated operator script rhdh-operator-${VERSION}.yaml"
+
 .PHONY: undeploy
 undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
 	$(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f -
@@ -402,9 +414,4 @@ show-img:
 show-container-engine:
 	@echo -n $(CONTAINER_ENGINE)
 
-.PHONY: deployment-manifest
-deployment-manifest: manifests kustomize ## Generate manifest to deploy operator.
-	cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
-	$(KUSTOMIZE) build config/default > rhdh-operator-${VERSION}.yaml
-	@echo "Generated operator script rhdh-operator-${VERSION}.yaml"
 

README.md

@@ -62,7 +62,7 @@ Output:
 
 ## License
 
-Copyright 2023 Red Hat Inc..
+Copyright 2023 Red Hat Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

api/v1alpha1/backstage_types.go

@@ -16,27 +16,38 @@ package v1alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 )
 
-// Constants for status conditions
+type BackstageConditionReason string
+
+type BackstageConditionType string
+
 const (
-	// TODO: RuntimeConditionRunning string = "RuntimeRunning"
-	ConditionDeployed string = "Deployed"
-	DeployOK          string = "DeployOK"
-	DeployFailed      string = "DeployFailed"
-	DeployInProgress  string = "DeployInProgress"
+	BackstageConditionTypeDeployed BackstageConditionType = "Deployed"
+
+	BackstageConditionReasonDeployed   BackstageConditionReason = "Deployed"
+	BackstageConditionReasonFailed     BackstageConditionReason = "DeployFailed"
+	BackstageConditionReasonInProgress BackstageConditionReason = "DeployInProgress"
 )
 
 // BackstageSpec defines the desired state of Backstage
 type BackstageSpec struct {
 	// Configuration for Backstage. Optional.
 	Application *Application `json:"application,omitempty"`
 
-	// Raw Runtime Objects configuration. For Advanced scenarios.
-	RawRuntimeConfig RuntimeConfig `json:"rawRuntimeConfig,omitempty"`
+	// Raw Runtime RuntimeObjects configuration. For Advanced scenarios.
+	RawRuntimeConfig *RuntimeConfig `json:"rawRuntimeConfig,omitempty"`
 
 	// Configuration for database access. Optional.
-	Database Database `json:"database,omitempty"`
+	Database *Database `json:"database,omitempty"`
+}
+
+type RuntimeConfig struct {
+	// Name of ConfigMap containing Backstage runtime objects configuration
+	BackstageConfigName string `json:"backstageConfig,omitempty"`
+	// Name of ConfigMap containing LocalDb (PostgreSQL) runtime objects configuration
+	LocalDbConfigName string `json:"localDbConfig,omitempty"`
 }
 
 type Database struct {
@@ -98,7 +109,7 @@ type Application struct {
 
 	// Image Pull Secrets to use in all containers (including Init Containers)
 	// +optional
-	ImagePullSecrets *[]string `json:"imagePullSecrets,omitempty"`
+	ImagePullSecrets []string `json:"imagePullSecrets,omitempty"`
 
 	// Route configuration. Used for OpenShift only.
 	Route *Route `json:"route,omitempty"`
@@ -177,13 +188,6 @@ type Env struct {
 	Value string `json:"value"`
 }
 
-type RuntimeConfig struct {
-	// Name of ConfigMap containing Backstage runtime objects configuration
-	BackstageConfigName string `json:"backstageConfig,omitempty"`
-	// Name of ConfigMap containing LocalDb (PostgreSQL) runtime objects configuration
-	LocalDbConfigName string `json:"localDbConfig,omitempty"`
-}
-
 // BackstageStatus defines the observed state of Backstage
 type BackstageStatus struct {
 	// Conditions is the list of conditions describing the state of the runtime
@@ -268,3 +272,23 @@ type TLS struct {
 func init() {
 	SchemeBuilder.Register(&Backstage{}, &BackstageList{})
 }
+
+// IsLocalDbEnabled returns true if Local database is configured and enabled
+func (s *BackstageSpec) IsLocalDbEnabled() bool {
+	if s.Database == nil {
+		return true
+	}
+	return ptr.Deref(s.Database.EnableLocalDb, true)
+}
+
+// IsRouteEnabled returns value of Application.Route.Enabled if defined or true by default
+func (s *BackstageSpec) IsRouteEnabled() bool {
+	if s.Application != nil && s.Application.Route != nil {
+		return ptr.Deref(s.Application.Route.Enabled, true)
+	}
+	return true
+}
+
+func (s *BackstageSpec) IsAuthSecretSpecified() bool {
+	return s.Database != nil && s.Database.AuthSecretName != ""
+}

bundle/manifests/backstage-default-config_v1_configmap.yaml

@@ -1,28 +1,33 @@
 apiVersion: v1
 data:
-  backend-auth-configmap.yaml: |
+  app-config.yaml: |-
     apiVersion: v1
     kind: ConfigMap
     metadata:
-      name: # placeholder for '<cr-name>-backend-auth'
+      name: my-backstage-config-cm1 # placeholder for <bs>-default-appconfig
     data:
-      "app-config.backend-auth.default.yaml": |
+      default.app-config.yaml: |
         backend:
+          database:
+            connection:
+              password: ${POSTGRES_PASSWORD}
+              user: ${POSTGRES_USER}
           auth:
             keys:
               # This is a default value, which you should change by providing your own app-config
               - secret: "pl4s3Ch4ng3M3"
-  db-secret.yaml: |
+  db-secret.yaml: |-
     apiVersion: v1
     kind: Secret
     metadata:
-      name: # placeholder for 'backstage-psql-secret-<cr-name>'
-    stringData:
-      "POSTGRES_PASSWORD": "rl4s3Fh4ng3M4" # default value, change to your own value
-      "POSTGRES_PORT": "5432"
-      "POSTGRES_USER": "postgres"
-      "POSTGRESQL_ADMIN_PASSWORD": "rl4s3Fh4ng3M4" # default value, change to your own value
-      "POSTGRES_HOST": "" # set to your Postgres DB host. If the local DB is deployed, set to 'backstage-psql-<cr-name>'
+      name: postgres-secrets # will be replaced
+    type: Opaque
+    #stringData:
+    #  POSTGRES_PASSWORD:
+    #  POSTGRES_PORT: "5432"
+    #  POSTGRES_USER: postgres
+    #  POSTGRESQL_ADMIN_PASSWORD: admin123
+    #  POSTGRES_HOST: bs1-db-service    #placeholder <crname>-db-service
   db-service-hl.yaml: |
     apiVersion: v1
     kind: Service
@@ -44,7 +49,7 @@ data:
         rhdh.redhat.com/app:  backstage-psql-cr1 # placeholder for 'backstage-psql-<cr-name>'
       ports:
         - port: 5432
-  db-statefulset.yaml: |
+  db-statefulset.yaml: |-
     apiVersion: apps/v1
     kind: StatefulSet
     metadata:
@@ -62,6 +67,10 @@ data:
             rhdh.redhat.com/app: backstage-psql-cr1 # placeholder for 'backstage-psql-<cr-name>'
           name: backstage-db-cr1 # placeholder for 'backstage-psql-<cr-name>'
         spec:
+          # fsGroup does not work for Openshift
+          # AKS/EKS does not work w/o it
+          #securityContext:
+          #  fsGroup: 26
           automountServiceAccountToken: false
           ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/
           ## The optional .spec.persistentVolumeClaimRetentionPolicy field controls if and how PVCs are deleted during the lifecycle of a StatefulSet.
@@ -77,13 +86,12 @@ data:
                   value: /var/lib/pgsql/data
                 - name: PGDATA
                   value: /var/lib/pgsql/data/userdata
-              envFrom:
-                - secretRef:
-                    name: <POSTGRESQL_SECRET>  # will be replaced with 'backstage-psql-secrets-<cr-name>'
-              # image will be replaced by the value of the `RELATED_IMAGE_postgresql` env var, if set
-              image: quay.io/fedora/postgresql-15:latest
+              image: quay.io/fedora/postgresql-15:latest # will be replaced with the actual image
               imagePullPolicy: IfNotPresent
               securityContext:
+                # runAsUser:26 does not work for Openshift but looks work for AKS/EKS
+                # runAsUser: 26
+                runAsGroup: 0
                 runAsNonRoot: true
                 allowPrivilegeEscalation: false
                 seccompProfile:
@@ -134,8 +142,6 @@ data:
                 - mountPath: /var/lib/pgsql/data
                   name: data
           restartPolicy: Always
-          securityContext: {}
-          serviceAccount: default
           serviceAccountName: default
           volumes:
             - emptyDir:
@@ -160,7 +166,7 @@ data:
     apiVersion: apps/v1
     kind: Deployment
     metadata:
-      name:  # placeholder for 'backstage-<cr-name>'
+      name: backstage # placeholder for 'backstage-<cr-name>'
     spec:
       replicas: 1
       selector:
@@ -172,6 +178,11 @@ data:
             rhdh.redhat.com/app:  # placeholder for 'backstage-<cr-name>'
         spec:
           automountServiceAccountToken: false
+          # if securityContext not present in AKS/EKS, the error is like this:
+          #Error: EACCES: permission denied, open '/dynamic-plugins-root/backstage-plugin-scaffolder-backend-module-github-dynamic-0.2.2.tgz'
+          # fsGroup doesn not work for Openshift
+          #securityContext:
+          #   fsGroup: 1001
           volumes:
             - ephemeral:
                 volumeClaimTemplate:
@@ -187,18 +198,19 @@ data:
                 defaultMode: 420
                 optional: true
                 secretName: dynamic-plugins-npmrc
-
           initContainers:
-            - command:
+            - name: install-dynamic-plugins
+              command:
                 - ./install-dynamic-plugins.sh
                 - /dynamic-plugins-root
+              image: quay.io/janus-idp/backstage-showcase:latest # will be replaced with the actual image quay.io/janus-idp/backstage-showcase:next
+              imagePullPolicy: IfNotPresent
+              securityContext:
+                runAsNonRoot: true
+                allowPrivilegeEscalation: false
               env:
                 - name: NPM_CONFIG_USERCONFIG
                   value: /opt/app-root/src/.npmrc.dynamic-plugins
-              # image will be replaced by the value of the `RELATED_IMAGE_backstage` env var, if set
-              image: quay.io/janus-idp/backstage-showcase:latest
-              imagePullPolicy: IfNotPresent
-              name: install-dynamic-plugins
               volumeMounts:
                 - mountPath: /dynamic-plugins-root
                   name: dynamic-plugins-root
@@ -208,6 +220,9 @@ data:
                   subPath: .npmrc
               workingDir: /opt/app-root/src
               resources:
+                requests:
+                  cpu: 250m
+                  memory: 256Mi
                 limits:
                   cpu: 1000m
                   memory: 2.5Gi
@@ -220,6 +235,9 @@ data:
               args:
                 - "--config"
                 - "dynamic-plugins-root/app-config.dynamic-plugins.yaml"
+              securityContext:
+                runAsNonRoot: true
+                allowPrivilegeEscalation: false
               readinessProbe:
                 failureThreshold: 3
                 httpGet:
@@ -246,24 +264,22 @@ data:
               env:
                 - name: APP_CONFIG_backend_listen_port
                   value: "7007"
-              envFrom:
-                - secretRef:
-                    name: <POSTGRESQL_SECRET>  # will be replaced with 'backstage-psql-secrets-<cr-name>'
-              #            - secretRef:
-              #                name: backstage-secrets
               volumeMounts:
                 - mountPath: /opt/app-root/src/dynamic-plugins-root
                   name: dynamic-plugins-root
               resources:
+                requests:
+                  cpu: 250m
+                  memory: 256Mi
                 limits:
                   cpu: 1000m
                   memory: 2.5Gi
                   ephemeral-storage: 5Gi
-  dynamic-plugins-configmap.yaml: |-
+  dynamic-plugins.yaml: |-
     apiVersion: v1
     kind: ConfigMap
     metadata:
-      name: # placeholder for '<cr-name>-dynamic-plugins'
+      name: default-dynamic-plugins #  must be the same as (deployment.yaml).spec.template.spec.volumes.name.dynamic-plugins-conf.configMap.name
     data:
       "dynamic-plugins.yaml": |
         includes:
@@ -273,7 +289,7 @@ data:
     apiVersion: route.openshift.io/v1
     kind: Route
     metadata:
-      name:  # placeholder for 'backstage-<cr-name>'
+      name: route # placeholder for 'backstage-<cr-name>'
     spec:
       port:
         targetPort: http-backend
@@ -284,11 +300,20 @@ data:
       to:
         kind: Service
         name:  # placeholder for 'backstage-<cr-name>'
+  secret-envs.yaml: |
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: backend-auth-secret
+    stringData:
+      # generated with the command below (from https://janus-idp.io/docs/auth/service-to-service-auth/#setup):
+      # node -p 'require("crypto").randomBytes(24).toString("base64")'
+      BACKEND_SECRET: "R2FxRVNrcmwzYzhhN3l0V1VRcnQ3L1pLT09WaVhDNUEK" # notsecret
   service.yaml: |-
     apiVersion: v1
     kind: Service
     metadata:
-      name:  # placeholder for 'backstage-<cr-name>'
+      name: backstage # placeholder for 'backstage-<cr-name>'
     spec:
       type: ClusterIP
       selector: