knative moved to infra chart, more changes after reviews, csp are gone

elai-shalev · elai-shalev · commit 3f2d1df915b4 · 2025-04-03T11:51:19.000+03:00
diff --git a/charts/backstage/Chart.yaml b/charts/backstage/Chart.yaml
@@ -44,4 +44,4 @@ sources:
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.2.3
+version: 3.2.4
diff --git a/charts/backstage/README.md b/charts/backstage/README.md
@@ -2,7 +2,7 @@
 # RHDH Backstage Helm Chart for OpenShift (Community Version)
 
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/rhdh-chart&style=flat-square)](https://artifacthub.io/packages/search?repo=rhdh-chart)
-![Version: 3.2.3](https://img.shields.io/badge/Version-3.2.3-informational?style=flat-square)
+![Version: 3.2.4](https://img.shields.io/badge/Version-3.2.4-informational?style=flat-square)
 ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 A Helm chart for deploying Red Hat Developer Hub.
@@ -191,7 +191,7 @@ Kubernetes: `>= 1.25.0-0`
 | global.dynamic.includes[0] | List of dynamic plugins included inside the `janus-idp/backstage-showcase` container image, some of which are disabled by default. This file ONLY works with the `janus-idp/backstage-showcase` container image. | string | `"dynamic-plugins.default.yaml"` |
 | global.dynamic.plugins | List of dynamic plugins, possibly overriding the plugins listed in `includes` files. Every item defines the plugin `package` as a [NPM package spec](https://docs.npmjs.com/cli/v10/using-npm/package-spec), an optional `pluginConfig` with plugin-specific backstage configuration, and an optional `disabled` flag to disable/enable a plugin listed in `includes` files. It also includes an `integrity` field that is used to verify the plugin package [integrity](https://w3c.github.io/webappsec-subresource-integrity/#integrity-metadata-description). | list | `[]` |
 | global.host | Custom hostname shorthand, overrides `global.clusterRouterBase`, `upstream.ingress.host`, `route.host`, and url values in `upstream.backstage.appConfig`. | string | `""` |
-| orchestrator.enabled |  | bool | `true` |
+| orchestrator.enabled |  | bool | `false` |
 | orchestrator.orchestrator.sonataflowPlatform.eventing.broker.name |  | string | `""` |
 | orchestrator.orchestrator.sonataflowPlatform.eventing.broker.namespace |  | string | `""` |
 | orchestrator.orchestrator.sonataflowPlatform.monitoring.enabled |  | bool | `true` |
@@ -206,8 +206,8 @@ Kubernetes: `>= 1.25.0-0`
 | orchestrator.postgres.serviceName |  | string | `"sonataflow-psql-postgresql"` |
 | orchestrator.postgres.serviceNamespace |  | string | `""` |
 | orchestrator.rhdhPlugins.npmRegistry |  | string | `""` |
-| orchestrator.serverlessLogicOperator.enabled |  | bool | `true` |
-| orchestrator.serverlessOperator.enabled |  | bool | `true` |
+| orchestrator.serverlessLogicOperator.enabled |  | bool | `false` |
+| orchestrator.serverlessOperator.enabled |  | bool | `false` |
 | route | OpenShift Route parameters | object | `{"annotations":{},"enabled":true,"host":"{{ .Values.global.host }}","path":"/","tls":{"caCertificate":"","certificate":"","destinationCACertificate":"","enabled":true,"insecureEdgeTerminationPolicy":"Redirect","key":"","termination":"edge"},"wildcardPolicy":"None"}` |
 | route.annotations | Route specific annotations | object | `{}` |
 | route.enabled | Enable the creation of the route resource | bool | `true` |
@@ -337,3 +337,18 @@ upstream:
     volumePermissions:
       enabled: true
 ```
+
+## Installing RHDH with Orchestrator
+
+Orchestrator brings serverless workflows into Backstage, focusing on the journey for application migration to the cloud, on boarding developers ,and user-made workflows of Backstage actions or external systems.
+Orchestrator is a flavor of RHDH, and can be installed alongside the RHDH in the same namespace and in the folloing way:
+
+1. Install the orchestrator-infra helm chart, which will install the pre-requisites required to install RHDH flavored Orchestrator.
+```
+helm install <release_name> charts/orchestrator-infra
+```
+2. Manually approve the Install Plans created by the chart, and wait for the Openshift Serverless and Openshift Serverless Logic Operators to be deployed.
+3. Install backstage chart with helm, setting orchestrator to be enabled:
+```
+helm install <release_name> charts/backstage --set orchestrator.enabled=true
+```
diff --git a/charts/backstage/README.md.gotmpl b/charts/backstage/README.md.gotmpl
@@ -269,3 +269,18 @@ upstream:
     volumePermissions:
       enabled: true
 ```
+
+## Installing RHDH with Orchestrator 
+
+Orchestrator brings serverless workflows into Backstage, focusing on the journey for application migration to the cloud, on boarding developers ,and user-made workflows of Backstage actions or external systems.
+Orchestrator is a flavor of RHDH, and can be installed alongside the RHDH in the same namespace and in the folloing way: 
+
+1. Install the orchestrator-infra helm chart, which will install the pre-requisites required to install RHDH flavored Orchestrator.
+```
+helm install <release_name> charts/orchestrator-infra
+```
+2. Manually approve the Install Plans created by the chart, and wait for the Openshift Serverless and Openshift Serverless Logic Operators to be deployed. 
+3. Install backstage chart with helm, setting orchestrator to be enabled:
+```
+helm install <release_name> charts/backstage --set orchestrator.enabled=true
+```
diff --git a/charts/backstage/templates/_helpers.tpl b/charts/backstage/templates/_helpers.tpl
@@ -0,0 +1,50 @@
+{{/*
+Returns custom hostname
+*/}}
+{{- define "janus-idp.hostname" -}}
+    {{- if .Values.global.host -}}
+        {{- .Values.global.host -}}
+    {{- else if .Values.global.clusterRouterBase -}}
+        {{- printf "%s-%s.%s" (include "common.names.fullname" .) .Release.Namespace .Values.global.clusterRouterBase -}}
+    {{- else -}}
+        {{ fail "Unable to generate hostname" }}
+    {{- end -}}
+{{- end -}}
+
+{{/*
+Returns a secret name for service to service auth
+*/}}
+{{- define "janus-idp.backend-secret-name" -}}
+    {{- if .Values.global.auth.backend.existingSecret -}}
+        {{- .Values.global.auth.backend.existingSecret -}}
+    {{- else -}}
+        {{- printf "%s-auth" .Release.Name -}}
+    {{- end -}}
+{{- end -}}
+
+{{/*
+Sets the secretKeyRef name for Backstage to the PostgreSQL existing secret if it present
+*/}}
+{{- define "janus-idp.postgresql.secretName" -}}
+    {{- if ((((.Values).global).postgresql).auth).existingSecret -}}
+        {{- .Values.global.postgresql.auth.existingSecret -}}
+    {{- else if .Values.postgresql.auth.existingSecret -}}
+        {{- .Values.postgresql.auth.existingSecret -}}
+    {{- else -}}
+        {{- printf "%s-%s" .Release.Name "postgresql" -}}
+    {{- end -}}
+{{- end -}}
+
+{{/*
+Get the password secret.
+Referenced from: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/templates/_helpers.tpl#L94-L105
+*/}}
+{{- define "postgresql.v1.secretName" -}}
+    {{- if .Values.global.postgresql.auth.existingSecret -}}
+        {{- printf "%s" (tpl .Values.global.postgresql.auth.existingSecret $) -}}
+    {{- else if .Values.auth.existingSecret -}}
+        {{- printf "%s" (tpl .Values.auth.existingSecret $) -}}
+    {{- else -}}
+        {{- printf "%s" (include "common.names.fullname" .) -}}
+    {{- end -}}
+{{- end -}}
diff --git a/charts/backstage/templates/knatives.yaml b/charts/backstage/templates/knatives.yaml
diff --git a/charts/backstage/templates/network-policies.yaml b/charts/backstage/templates/network-policies.yaml
@@ -2,7 +2,7 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-knative-to-sonataflow-and-workflows
+  name: {{ .Release.Name }}-allow-knative-to-sonataflow-and-workflows
   # Sonataflow and Workflows are using the RHDH target namespace.
   namespace: {{ .Release.Namespace | quote }}
 spec:
@@ -22,7 +22,7 @@ spec:
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-external-communication
+  name: {{ .Release.Name }}-allow-external-communication
   namespace: {{ .Release.Namespace | quote }}
 spec:
   podSelector: {}
@@ -36,7 +36,7 @@ spec:
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-intra-network
+  name: {{ .Release.Name }}-allow-intra-network
   namespace: {{ .Release.Namespace | quote }}
 spec:
   # Apply this policy to all pods in the namespace
@@ -57,7 +57,7 @@ spec:
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-monitoring-to-sonataflow-and-workflows
+  name: {{ .Release.Name }}-allow-monitoring-to-sonataflow-and-workflows
   namespace: {{ .Release.Namespace | quote }}
 spec:
   # Apply this policy to all pods in the namespace
diff --git a/charts/backstage/values.schema.json b/charts/backstage/values.schema.json
@@ -95,7 +95,7 @@
             "additionalProperties": false,
             "properties": {
                 "enabled": {
-                    "default": true,
+                    "default": false,
                     "title": "enabled flag",
                     "type": "boolean"
                 },
@@ -255,7 +255,7 @@
                     "additionalProperties": false,
                     "properties": {
                         "enabled": {
-                            "default": true,
+                            "default": false,
                             "title": "enabled flag",
                             "type": "boolean"
                         }
@@ -267,7 +267,7 @@
                     "additionalProperties": false,
                     "properties": {
                         "enabled": {
-                            "default": true,
+                            "default": false,
                             "title": "enabled flag",
                             "type": "boolean"
                         }
@@ -1161,24 +1161,6 @@
                                     "cors": {
                                         "origin": "https://{{- include \"janus-idp.hostname\" . }}"
                                     },
-                                    "csp": {
-                                        "connect-src": [
-                                            "'self'",
-                                            "http:",
-                                            "https:",
-                                            "data:"
-                                        ],
-                                        "script-src": [
-                                            "'self'",
-                                            "'unsafe-inline'",
-                                            "'unsafe-eval'"
-                                        ],
-                                        "script-src-elem": [
-                                            "'self'",
-                                            "'unsafe-inline'",
-                                            "'unsafe-eval'"
-                                        ]
-                                    },
                                     "database": {
                                         "connection": {
                                             "password": "${POSTGRESQL_ADMIN_PASSWORD}",
diff --git a/charts/backstage/values.schema.tmpl.json b/charts/backstage/values.schema.tmpl.json
@@ -204,7 +204,7 @@
                 "enabled": {
                     "title": "enabled flag",
                     "type": "boolean",
-                    "default": true
+                    "default": false
                 },
                 "rhdhPlugins": {
                     "title": "rhdhPlugins configuration",
diff --git a/charts/backstage/values.yaml b/charts/backstage/values.yaml
@@ -56,10 +56,6 @@ upstream:
         baseUrl: 'https://{{- include "janus-idp.hostname" . }}'
         cors:
           origin: 'https://{{- include "janus-idp.hostname" . }}'
-        csp:
-          script-src: ["'self'", "'unsafe-inline'", "'unsafe-eval'"]
-          script-src-elem: ["'self'", "'unsafe-inline'", "'unsafe-eval'"]
-          connect-src: ["'self'", 'http:', 'https:', 'data:']
         database:
           connection:
             password: ${POSTGRESQL_ADMIN_PASSWORD}
@@ -344,15 +340,15 @@ test:
     tag: latest
 
 orchestrator:
-  enabled: true
+  enabled: false
   rhdhPlugins: # RHDH plugins required for the Orchestrator
     npmRegistry: "" # NPM registry is defined already in the container, but sometimes the registry need to be modified to use different versions of the plugin, for example: staging(https://npm.stage.registry.redhat.com) or development repositories
 
   serverlessLogicOperator:
-    enabled: true # whether the operator resources are deployed
+    enabled: false # whether the operator resources are deployed
   
   serverlessOperator:
-    enabled: true # whether the operator resources are deployed
+    enabled: false # whether the operator resources are deployed
   
   postgres:
     serviceName: "sonataflow-psql-postgresql" # The name of the Postgres DB service to be used by platform services. Cannot be empty.
diff --git a/charts/orchestrator-infra/Chart.yaml b/charts/orchestrator-infra/Chart.yaml
@@ -13,4 +13,4 @@ maintainers:
 type: application
 sources:
   - https://github.com/redhat-developer/rhdh-chart
-version: 0.0.3
+version: 0.0.4
diff --git a/charts/orchestrator-infra/templates/NOTES.txt b/charts/orchestrator-infra/templates/NOTES.txt
@@ -33,14 +33,14 @@ Red Hat Serverless Logic Operator   {{ $serverlessLogicOperatorInstalled }}
 
 To manually approve the openshift-serverless InstallPlan:
 
-OS_PLAN=$(oc get installplan -n openshift-serverless)
+OS_PLAN=$(oc get installplan -n openshift-serverless --sort-by=.metadata.creationTimestamp -o jsonpath='{.items[-1].metadata.name}')
 oc patch installplan $OS_PLAN -n openshift-serverless --type merge --patch '{"spec":{"approved":true}}'
 {{- end }}
 
 {{- if eq .Values.serverlessLogicOperator.subscription.spec.installPlanApproval "Manual" }}
 
 To manually approve the openshift-serverless-logic InstallPlan:
 
-OSL_PLAN=$(oc get installplan -n openshift-serverless)
-oc patch installplan $OSL_PLAN -n openshift-serverless --type merge --patch '{"spec":{"approved":true}}'
+OSL_PLAN=$(oc get installplan -n openshift-serverless-logic --sort-by=.metadata.creationTimestamp -o jsonpath='{.items[-1].metadata.name}')
+oc patch installplan $OSL_PLAN -n openshift-serverless-logic --type merge --patch '{"spec":{"approved":true}}'
 {{- end }}
diff --git a/charts/orchestrator-infra/templates/_helpers.tpl b/charts/orchestrator-infra/templates/_helpers.tpl
@@ -0,0 +1,37 @@
+{{/* Helper functions */}}
+
+{{- define "unmanaged-resource-exists" -}}
+    {{- $api := index . 0 -}}
+    {{- $kind := index . 1 -}}
+    {{- $namespace := index . 2 -}}
+    {{- $name := index . 3 -}}
+    {{- $releaseName := index . 4 -}}
+    {{- $apiCapabilities := index . 5 -}}
+    {{- $unmanagedSubscriptionExists := "true" -}}
+    {{- if $apiCapabilities.Has (printf "%s/%s" $api $kind) }}
+        {{- $existingOperator := lookup $api $kind $namespace $name -}}
+        {{- if empty $existingOperator -}}
+            {{- "false" -}}
+        {{- else -}}
+            {{- $isManagedResource := include "is-managed-resource" (list $existingOperator $releaseName) -}}
+            {{- if eq $isManagedResource "true" -}}
+                {{- "false" -}}
+            {{- else -}}
+                {{- "true" -}}
+            {{- end -}}
+        {{- end -}}
+    {{- else -}}
+        {{- "false" -}}
+    {{- end -}}
+{{- end -}}
+
+{{- define "is-managed-resource" -}}
+    {{- $resource := index . 0 -}}
+    {{- $releaseName := index . 1 -}}
+    {{- $resourceReleaseName := dig "metadata" "annotations" (dict "meta.helm.sh/release-name" "NA") $resource -}}
+    {{- if eq (get $resourceReleaseName "meta.helm.sh/release-name") $releaseName -}}
+        {{- "true" -}}
+    {{- else -}}
+        {{- "false" -}}
+    {{- end -}}
+{{- end -}}
