move backstage PVC to sts

Signed-off-by: Pankaj Walke <[email protected]>

packages/backstage/chart/templates/postgresql.yaml

@@ -1,20 +1,4 @@
 {{- if .Values.postgresql.enabled -}}
-kind: PersistentVolumeClaim
-apiVersion: v1
-metadata:
-  name: {{ include "postgresql.fullname" . }}
-  namespace: {{ .Values.namespace }}
-  labels:
-    app: {{ include "postgresql.fullname" . }}
-    {{- include "backstage.labels" . | nindent 4 }}
-spec:
-  storageClassName: {{ .Values.postgresql.persistence.storageClass }}
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: {{ .Values.postgresql.persistence.size }}
----
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
@@ -50,10 +34,15 @@ spec:
         - name: data
           mountPath: /var/lib/postgresql/data
           subPath: postgress
-      volumes:
-      - name: data
-        persistentVolumeClaim:
-          claimName: {{ include "postgresql.fullname" . }}
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: {{ .Values.postgresql.persistence.size }}
 ---
 apiVersion: v1
 kind: Service

packages/keycloak/manifests/user-sso-config-job.yaml

@@ -257,128 +257,153 @@ spec:
               set -ex -o pipefail
               apt -qq update && apt -qq install curl jq gettext-base -y
 
-              # Get Keycloak token for intial Admin user
+              # Define helper functions
+              keycloak_post() {
+                local endpoint=$1
+                local payload=$2
+                local resource_name=$3
+
+                HTTP_STATUS=$(curl -sS -w "%{http_code}" -o /tmp/response.txt -H "Content-Type: application/json" \
+                  -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                  -X POST --data @${payload} \
+                  ${KEYCLOAK_URL}${endpoint})
+
+                if [ "$HTTP_STATUS" -eq 409 ]; then
+                  echo "${resource_name} already exists, continuing..."
+                elif [ "$HTTP_STATUS" -ne 201 ] && [ "$HTTP_STATUS" -ne 200 ]; then
+                  echo "Error creating ${resource_name}: HTTP status $HTTP_STATUS"
+                  cat /tmp/response.txt
+                fi
+              }
+
+              keycloak_put() {
+                local endpoint=$1
+                local resource_name=$2
+
+                HTTP_STATUS=$(curl -sS -w "%{http_code}" -o /tmp/response.txt -H "Content-Type: application/json" \
+                  -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                  -X PUT ${KEYCLOAK_URL}${endpoint})
+
+                if [ "$HTTP_STATUS" -ne 204 ] && [ "$HTTP_STATUS" -ne 200 ]; then
+                  echo "Error updating ${resource_name}: HTTP status $HTTP_STATUS"
+                  cat /tmp/response.txt
+                fi
+              }
+
+              keycloak_get() {
+                local endpoint=$1
+                local jq_filter=$2
+
+                curl -sS -H "Content-Type: application/json" \
+                  -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                  -X GET ${KEYCLOAK_URL}${endpoint} | jq -e -r "${jq_filter}"
+              }
+
+              # Get Keycloak token for initial Admin user
               ADMIN_PASSWORD=$(cat /var/secrets/KEYCLOAK_ADMIN_PASSWORD)
               KEYCLOAK_URL=http://keycloak.keycloak.svc.cluster.local:80
               USER1_PASSWORD=$(cat /var/secrets/USER1_PASSWORD)
-              KEYCLOAK_TOKEN=$(curl -sS  --fail-with-body -X POST -H "Content-Type: application/x-www-form-urlencoded" \
+              HTTP_STATUS=$(curl -sS -w "%{http_code}" -o /tmp/response.txt -X POST -H "Content-Type: application/x-www-form-urlencoded" \
                 --data-urlencode "username=cnoe-admin" \
                 --data-urlencode "password=${ADMIN_PASSWORD}" \
                 --data-urlencode "grant_type=password" \
                 --data-urlencode "client_id=admin-cli" \
-                ${KEYCLOAK_URL}/realms/cnoe/protocol/openid-connect/token | jq -e -r '.access_token')
-
-              set +e
+                ${KEYCLOAK_URL}/realms/cnoe/protocol/openid-connect/token)
+              if [ "$HTTP_STATUS" -ne 200 ]; then
+                echo "Error getting Keycloak token: HTTP status $HTTP_STATUS"
+                cat /tmp/response.txt
+                exit 1
+              fi
+              KEYCLOAK_TOKEN=$(cat /tmp/response.txt | jq -e -r '.access_token')
 
-              curl --fail-with-body -H "Authorization: bearer ${KEYCLOAK_TOKEN}"  "${KEYCLOAK_URL}/admin/realms/cnoe"  &> /dev/null
-              if [ $? -ne 0 ]; then
+              HTTP_STATUS=$(curl -sS -w "%{http_code}" -o /tmp/response.txt -H "Authorization: bearer ${KEYCLOAK_TOKEN}" "${KEYCLOAK_URL}/admin/realms/cnoe")
+              if [ "$HTTP_STATUS" -ne 200 ]; then
+                echo "Error validating Keycloak token: HTTP status $HTTP_STATUS"
+                cat /tmp/response.txt
                 exit 1
               fi
-              set -e
 
               # Download kubectl
               curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/amd64/kubectl"
               chmod +x kubectl
 
               echo "creating client scopes"
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/client-scope-groups-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes
+              keycloak_post "/admin/realms/cnoe/client-scopes" "/var/config/client-scope-groups-payload.json" "Client scope"
 
               echo "creating admin group"
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/group-admin-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/groups
+              keycloak_post "/admin/realms/cnoe/groups" "/var/config/group-admin-payload.json" "Admin group"
 
               echo "creating base-user group"
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/group-base-user-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/groups
+              keycloak_post "/admin/realms/cnoe/groups" "/var/config/group-base-user-payload.json" "Base-user group"
 
               echo "adding group claim to tokens"
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
-
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/group-mapper-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes/${CLIENT_SCOPE_GROUPS_ID}/protocol-mappers/models
-
-              echo "creating user1"
-              jq --arg pwd "$USER1_PASSWORD" '.credentials[0].value = $pwd' /var/config/user1-payload.json > user1-payload-with-password.json
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @user1-payload-with-password.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/users
+              CLIENT_SCOPE_GROUPS_ID=$(keycloak_get "/admin/realms/cnoe/client-scopes" '.[] | select(.name == "groups") | .id')
+
+              keycloak_post "/admin/realms/cnoe/client-scopes/${CLIENT_SCOPE_GROUPS_ID}/protocol-mappers/models" \
+                "/var/config/group-mapper-payload.json" "Protocol mapper"
 
-              echo "creating user2"
-              jq --arg pwd "$USER1_PASSWORD" '.credentials[0].value = $pwd' /var/config/user2-payload.json > user2-payload-with-password.json
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @user2-payload-with-password.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/users
+              # Create users function
+              create_user() {
+                local user_num=$1
+                local payload_file=$2
+
+                echo "creating user${user_num}"
+                jq --arg pwd "$USER1_PASSWORD" '.credentials[0].value = $pwd' ${payload_file} > user${user_num}-payload-with-password.json
+                keycloak_post "/admin/realms/cnoe/users" "user${user_num}-payload-with-password.json" "User${user_num}"
+              }
+
+              create_user "1" "/var/config/user1-payload.json"
+              create_user "2" "/var/config/user2-payload.json"
 
-              USER1ID=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" "${KEYCLOAK_URL}/admin/realms/cnoe/users?lastName=one" | jq -r '.[0].id')
-              USER2ID=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" "${KEYCLOAK_URL}/admin/realms/cnoe/users?lastName=two" | jq -r '.[0].id')
+              USER1ID=$(keycloak_get "/admin/realms/cnoe/users?lastName=one" ".[0].id")
+              USER2ID=$(keycloak_get "/admin/realms/cnoe/users?lastName=two" ".[0].id")
 
               echo "USER1 ID: ${USER1ID}"
-              echo "USER1 ID: ${USER1ID}"
-
-              echo "creating ArgoCD client"
-              curl -sS --fail-with-body -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/argocd-client-payload.json \
-                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+              echo "USER2 ID: ${USER2ID}"
 
-              CLIENT_ID=$(curl -sS --fail-with-body -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "argocd") | .id')
+              # Create client function
+              create_client() {
+                local client_name=$1
+                local payload_file=$2
+
+                echo "creating ${client_name} client"
+                keycloak_post "/admin/realms/cnoe/clients" "${payload_file}" "${client_name} client"
+              }
 
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS --fail-with-body -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
-              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+              create_client "ArgoCD" "/var/config/argocd-client-payload.json"
 
-              echo "creating Backstage client"
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/backstage-client-payload.json \
-                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+              # Add client scope function
+              add_client_scope() {
+                local client_id_name=$1
+                local client_name=$2
+
+                CLIENT_ID=$(keycloak_get "/admin/realms/cnoe/clients" ".[] | select(.clientId == \"${client_id_name}\") | .id")
+                CLIENT_SCOPE_GROUPS_ID=$(keycloak_get "/admin/realms/cnoe/client-scopes" '.[] | select(.name == "groups") | .id')
+                keycloak_put "/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}" "${client_name} client scope"
+              }
 
-              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "backstage") | .id')
+              add_client_scope "argocd" "ArgoCD"
 
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
-              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+              create_client "Backstage" "/var/config/backstage-client-payload.json"
 
-              BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
-
-              echo "creating Argo Workflows client"
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                  -X POST --data @/var/config/argo-client-payload.json \
-                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+              add_client_scope "backstage" "Backstage"
 
-              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "argo-workflows") | .id')
+              # Get client secret function
+              get_client_secret() {
+                local client_id_name=$1
+                local var_name=$2
+
+                CLIENT_ID=$(keycloak_get "/admin/realms/cnoe/clients" ".[] | select(.clientId == \"${client_id_name}\") | .id")
+                local secret=$(keycloak_get "/admin/realms/cnoe/clients/${CLIENT_ID}" ".secret")
+                eval "${var_name}=${secret}"
+              }
 
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              get_client_secret "backstage" "BACKSTAGE_CLIENT_SECRET"
 
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+              create_client "Argo Workflows" "/var/config/argo-client-payload.json"
 
-              ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-              -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-              -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
+              add_client_scope "argo-workflows" "Argo Workflows"
+              get_client_secret "argo-workflows" "ARGO_WORKFLOWS_CLIENT_SECRET"
 
               echo "Creating ArgoCD session token for backstage"
               ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')

packages/keycloak/values.yaml

@@ -644,6 +644,7 @@ ingress:
   ##
   annotations:
     cert-manager.io/cluster-issuer: 'letsencrypt-prod'
+    argocd.argoproj.io/sync-wave: "60"
   ## @param ingress.labels Additional labels for the Ingress resource.
   ## e.g:
   ## labels:

scripts/install.sh

@@ -27,7 +27,7 @@ AWS_REGION=$(yq '.region' config.yaml)
 
 
 KUBECONFIG_FILE=$(mktemp)
-aws eks update-kubeconfig --region $AWS_REGION --name $CLUSTER_NAME --kubeconfig $KUBECONFIG_FILE
+aws eks update-kubeconfig --region $AWS_REGION --name $CLUSTER_NAME --kubeconfig $KUBECONFIG_FILE > /dev/null 2>&1
 KUBECONFIG=$(kubectl config --kubeconfig $KUBECONFIG_FILE view --raw -o json)
 SERVER_URL=$(echo $KUBECONFIG | jq -r '.clusters[0].cluster.server')
 CA_DATA=$(echo $KUBECONFIG | jq -r '.clusters[0].cluster."certificate-authority-data"')
@@ -63,9 +63,12 @@ EOF
 # Run idpbuilder for applying packages
 idpbuilder create --use-path-routing --protocol http --package "$REPO_ROOT/packages/" -c "argocd:${CLUSTER_SECRET_FILE}"
 
-# Apply remote cluster secret
-# kubectl apply -f "$CLUSTER_SECRET_FILE"
+# Wait for hub-addons to be healthy
+kubectl wait --for=jsonpath=.status.health.status=Healthy  -n argocd application/hub-addons --timeout=5m
+sleep 30
 
+# Finally wait for ArgoCD on the hub Cluster to be Healthy
+kubectl wait --for=jsonpath=.status.health.status=Healthy -n argocd application/argocd-hub --kubeconfig $KUBECONFIG_FILE --timeout=-15m
 
 # REPO_ROOT=$(git rev-parse --show-toplevel)
 

scripts/uninstall.sh

@@ -23,6 +23,12 @@ fi
 # Delete idpbuilder local kind cluster instance
 idpbuilder delete cluster --name localdev
 
+# Get EKS kubeconfig
+CLUSTER_NAME=$(yq '.cluster_name' config.yaml)
+AWS_REGION=$(yq '.region' config.yaml)
+KUBECONFIG_FILE=$(mktemp)
+aws eks update-kubeconfig --region $AWS_REGION --name $CLUSTER_NAME --kubeconfig $KUBECONFIG_FILE > /dev/null 2>&1
+
 # Addons to be deleted
 ADDONS=(
   backstage
@@ -35,30 +41,27 @@ ADDONS=(
 )
 
 # Delete all application sets except argocd
-for app in "${ADDONS[@]}"; do 
-  kubectl delete applicationsets.argoproj.io -n argocd $app
+for app in "${ADDONS[@]}"; do
+  echo "Deleting $app AppSet..."
+  kubectl delete applicationsets.argoproj.io -n argocd $app --kubeconfig $KUBECONFIG_FILE > /dev/null 2>&1 || true
   # Wait for AppSet deletion to complete before moving to next AppSet
-  while kubectl get applications.argoproj.io -n argocd -l addonName=$app &>/dev/null; do
+  while [ $(kubectl get applications.argoproj.io -n argocd -l addonName=$app --no-headers --kubeconfig $KUBECONFIG_FILE 2>/dev/null | wc -l) -ne 0 ]; do
     echo "Waiting for $app AppSet to be deleted..."
-    sleep 5
+    sleep 10
   done
 done
 
-# Patch ArgoCD AppSet to remove finalizer and Delete it
-# kubectl patch applicationsets.argoproj.io -n argocd argocd --type json -p '[{"op": "remove", "path": "/metadata/finalizers"}]'
-# kubectl delete applicationsets.argoproj.io -n argocd argocd
-
 # Delete ArgoCD App
-kubectl delete applicationsets.argoproj.io -n argocd argocd
+echo "Deleting argocd AppSet..."
+kubectl delete applicationsets.argoproj.io -n argocd argocd --kubeconfig $KUBECONFIG_FILE > /dev/null 2>&1
 
-# Wait for 3mins for ArgoCD to be deleted
-while kubectl get applications.argoproj.io -n argocd -l addonName=argocd &>/dev/null; do
-  echo "Waiting for argocd AppSet to be deleted..."
-  sleep 5
-done
+# Wait for 2mins for ArgoCD to be deleted
+echo "Waiting for argocd AppSet to be deleted..."
+sleep 120
 
-# Patch ArgoCD App to remove finalizer for completing deletion of ArgoCD App.
-# kubectl patch applications.argoproj.io -n argocd argocd --type json -p '[{"op": "remove", "path": "/metadata/finalizers"}]'
+# Remove PVCs for keycloak
+# echo "Deleting PVCs for keycloak..."
+# kubectl delete pvc -n keycloak data-keycloak-postgresql-0 --kubeconfig $KUBECONFIG_FILE > /dev/null 2>&1
 
 # kubectl delete applications.argoproj.io argocd-hub -n argocd
 # cd "${TF_DIR}"