search

jquad-group / backstage-jquad

Tekton Pipelines Plugin for Backstage
Apache License 2.0
18 stars 6 forks source link

Optional `authorizationBearerToken` #12

Closed jmadureira closed 1 year ago

jmadureira commented 1 year ago

Hello

I'm currently working on a Tekton setup where the API is open but in read-only mode. As a result I can freely make requests without having to provide the Authorization header.

The problem is that since this plugin assumes that the authorizationBearerToken is mandatory all requests it makes to Tekton includes the Authorization header which will cause it to fail with a 401 status code.

Considering that this setup is a possibility is it possible to make the authorizationBearerToken attribute optional?

ghost commented 1 year ago

@jmadureira are you able to get tekton pipelines in backstage?. cause i am also stucked with authorizationBearerToken

jmadureira commented 1 year ago

@Va-asu I'm unable to get it working on Backstage because the tekton plugin always includes the Authorization header. A quick hack would be to simply not include the header if no token is provided.

You can also check if it works in your case by manually making the request. It would be something like:

curl -v "https://<your tekton URL>/apis/tekton.dev/v1beta1/namespaces/<your namespace>/pipelineruns?labelSelector=<some label selector you might have>" -H "Content-type: application/json"

For additional reference taken from Tekton documentation which may help #9 you're opened:

The Dashboard does not provide its own authentication or authorization, however it will pass on any authentication headers provided to it by a proxy deployed in front of the Dashboard. These are then handled by the Kubernetes API server allowing for full access control via Kubernetes RBAC. In case of forbidden access the Dashboard will display corresponding error notifications.

This indicates that the "proper" solution involves correctly configuring Kubernetes RBAC which may not be possible in some installations.

rannox commented 1 year ago

Hello all,

will try to release a new version of the plugin tomorrow, in which the authorizationBearerToken is optional.

ghost commented 1 year ago

Thank you @rannox , it will be very helpful for us.

rannox commented 1 year ago

This was implemented in version v0.2.6. Just delete the authorizationBearerToken param from the app-config.yaml.

I am will be happy for your feedback, if this change helped you out? :)

jmadureira commented 1 year ago

@rannox Thank you for the new release. I've tested and it works as expected and will close this issue.

Hopefully this will also help @Va-asu with this issues.