Backstage component

[jeffmccune]

References

• Backstage UI

Tasks

• [x] Backstage component
• [x] Holos IAM integration -
• [x] authpolicy-allow-portal
• [x] Configure GitHub Apps Integration
• [x] Configure GitHub Discovery
• [x] ConfigMap for /config/app-config.production.yaml
• [x] Add a card for the holos-infra repo

Follow up tasks

• [x] #184
• [x] #185
• [x] #186
• [x] #188

AuthorizationPolicy

kubectl get authorizationpolicies.security.istio.io -n istio-gateways authpolicy-allow-portal -o yaml | yq .spec

action: ALLOW
rules:
  - to:
      - operation:
          hosts:
            - backstage.admin.aws2.holos.run
            - backstage.admin.aws2.holos.run:*
    when:
      - key: request.auth.principal
        values:
          - https://login.holos.run/*
      - key: request.auth.audiences
        values:
          - "269746002573969304"
      - key: request.auth.presenter
        values:
          - 269746420997801880@holos_platform
      - key: request.auth.claims[groups]
        values:
          - portal-view
selector:
  matchLabels:
    istio.io/gateway-name: default

Github Integration

Refer to Backstage Github Apps docs.

[jeffmccune]

To rebuild and deploy backstage:

Start with KUBECONFIG using the correct cluster, currently aws2.

git clone git@github.com:holos-run/portal.git
cd portal
./hack/build
./hack/deploy

[jeffmccune]

We'll want to automate or document this process somehow:

cd portal
yarn backstage-cli create-github-app holos-run
yq github-app-backstage-428867-credentials.yaml -o json \
 | holos create secret --namespace backstage --append-hash=false --data-stdin github-app-credentials

Expected output:

10:31AM INF create.go:70 reading data keys from stdin... version=0.83.1
10:31AM INF create.go:126 created: github-app-credentials version=0.83.1 secret=github-app-credentials name=github-app-credentials namespace=backstage