From ac4f261951bd751a52ec6e824838f09e79e76934 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Mac=C3=ADk?= <pavel.macik@gmail.com>
Date: Tue, 1 Oct 2024 13:16:28 +0200
Subject: [PATCH] fix(RHIDP-3670): Reduce user and group name sizes to support
 bigger RBAC policies
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Pavel Macík <pavel.macik@gmail.com>
---
 ci-scripts/rhdh-setup/create_resource.sh         | 10 +++++-----
 ci-scripts/rhdh-setup/deploy.sh                  |  5 +++--
 .../template/backstage/app-rbac-patch.yaml       |  4 ++--
 .../template/backstage/helm/app-rbac-patch.yaml  |  2 +-
 .../template/backstage/olm/app-rbac-patch.yaml   |  2 +-
 .../template/backstage/rbac-config.yaml          | 13 +++++++------
 .../rhdh-setup/template/component/api.template   |  2 +-
 .../template/component/component.template        |  2 +-
 .../template/keycloak/keycloakUser.yaml          | 16 ++++++++++------
 9 files changed, 31 insertions(+), 25 deletions(-)

diff --git a/ci-scripts/rhdh-setup/create_resource.sh b/ci-scripts/rhdh-setup/create_resource.sh
index 69eca9d..76c234c 100755
--- a/ci-scripts/rhdh-setup/create_resource.sh
+++ b/ci-scripts/rhdh-setup/create_resource.sh
@@ -168,7 +168,7 @@ create_group() {
   attempt=1
   while ((attempt <= max_attempts)); do
     token=$(get_token)
-    groupname="group${0}"
+    groupname="g${0}"
     response="$(curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/groups" \
       -H 'Content-Type: application/json' \
       -H 'Authorization: Bearer '"$token" \
@@ -189,7 +189,7 @@ create_group() {
 create_groups() {
   log_info "Creating Groups in Keycloak"
   for i in $(seq 1 "$GROUP_COUNT"); do
-    echo "    g, group:default/group${i}, role:default/perf_admin" >>"$TMP_DIR/group-rbac.yaml"
+    echo "    g, group:default/g${i}, role:default/a" >>"$TMP_DIR/group-rbac.yaml"
   done
   sleep 5
   seq 1 "${GROUP_COUNT}" | xargs -n1 -P"${POPULATION_CONCURRENCY}" bash -c 'create_group'
@@ -202,8 +202,8 @@ create_user() {
     token=$(get_token)
     grp=$(echo "${0}%${GROUP_COUNT}" | bc)
     [[ $grp -eq 0 ]] && grp=${GROUP_COUNT}
-    username="test${0}"
-    groupname="group${grp}"
+    username="t${0}"
+    groupname="g${grp}"
     response="$(curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/users" \
       -H 'Content-Type: application/json' \
       -H 'Authorization: Bearer '"$token" \
@@ -264,7 +264,7 @@ keycloak_token() {
 rhdh_token() {
   REDIRECT_URL="$(backstage_url)/oauth2/callback"
   REFRESH_URL="$(backstage_url)/api/auth/oauth2Proxy/refresh"
-  USERNAME="test1"
+  USERNAME="guru"
   PASSWORD=$(oc -n "${RHDH_NAMESPACE}" get secret perf-test-secrets -o template --template='{{.data.keycloak_user_pass}}' | base64 -d)
   REALM="backstage"
   CLIENTID="backstage"
diff --git a/ci-scripts/rhdh-setup/deploy.sh b/ci-scripts/rhdh-setup/deploy.sh
index 9b76fa0..47532b7 100755
--- a/ci-scripts/rhdh-setup/deploy.sh
+++ b/ci-scripts/rhdh-setup/deploy.sh
@@ -186,7 +186,8 @@ keycloak_install() {
         fi
     fi
     envsubst <template/keycloak/keycloakClient.yaml | $clin apply -f -
-    envsubst <template/keycloak/keycloakUser.yaml | $clin apply -f -
+    # shellcheck disable=SC2016
+    envsubst '${KEYCLOAK_USER_PASS}' <template/keycloak/keycloakUser.yaml | $clin apply -f -
 }
 
 create_users_groups() {
@@ -235,7 +236,7 @@ backstage_install() {
     if ${ENABLE_RBAC}; then
         cp template/backstage/rbac-config.yaml "${TMP_DIR}"
         cat "$TMP_DIR/group-rbac.yaml" >>"$TMP_DIR/rbac-config.yaml"
-        $clin apply -f "$TMP_DIR/rbac-config.yaml" --namespace="${RHDH_NAMESPACE}"
+        until $clin create -f "$TMP_DIR/rbac-config.yaml"; do $clin delete configmap rbac-policy --ignore-not-found=true; done
     fi
     envsubst <template/backstage/plugin-secrets.yaml | $clin apply -f -
     if [ "$INSTALL_METHOD" == "helm" ]; then
diff --git a/ci-scripts/rhdh-setup/template/backstage/app-rbac-patch.yaml b/ci-scripts/rhdh-setup/template/backstage/app-rbac-patch.yaml
index 766d943..4f203a6 100644
--- a/ci-scripts/rhdh-setup/template/backstage/app-rbac-patch.yaml
+++ b/ci-scripts/rhdh-setup/template/backstage/app-rbac-patch.yaml
@@ -2,7 +2,7 @@
 permission:
   enabled: true
   rbac:
-    policies-csv-file: './rbac/rbac-policy.csv'
+    policies-csv-file: "./rbac/rbac-policy.csv"
     admin:
       users:
-        - name: user:default/test1
+        - name: user:default/guru
diff --git a/ci-scripts/rhdh-setup/template/backstage/helm/app-rbac-patch.yaml b/ci-scripts/rhdh-setup/template/backstage/helm/app-rbac-patch.yaml
index 69a8f32..4f203a6 100644
--- a/ci-scripts/rhdh-setup/template/backstage/helm/app-rbac-patch.yaml
+++ b/ci-scripts/rhdh-setup/template/backstage/helm/app-rbac-patch.yaml
@@ -5,4 +5,4 @@ permission:
     policies-csv-file: "./rbac/rbac-policy.csv"
     admin:
       users:
-        - name: user:default/test1
+        - name: user:default/guru
diff --git a/ci-scripts/rhdh-setup/template/backstage/olm/app-rbac-patch.yaml b/ci-scripts/rhdh-setup/template/backstage/olm/app-rbac-patch.yaml
index 150609e..6fcff8d 100644
--- a/ci-scripts/rhdh-setup/template/backstage/olm/app-rbac-patch.yaml
+++ b/ci-scripts/rhdh-setup/template/backstage/olm/app-rbac-patch.yaml
@@ -5,4 +5,4 @@ permission:
     policies-csv-file: "./rbac-policy.csv"
     admin:
       users:
-        - name: user:default/test1
+        - name: user:default/guru
diff --git a/ci-scripts/rhdh-setup/template/backstage/rbac-config.yaml b/ci-scripts/rhdh-setup/template/backstage/rbac-config.yaml
index a6c55f3..bf1d0d8 100644
--- a/ci-scripts/rhdh-setup/template/backstage/rbac-config.yaml
+++ b/ci-scripts/rhdh-setup/template/backstage/rbac-config.yaml
@@ -4,9 +4,10 @@ metadata:
   name: rbac-policy
 data:
   rbac-policy.csv: |
-    p, role:default/perf_admin, kubernetes.proxy, use, allow
-    p, role:default/perf_admin, catalog-entity, read, allow
-    p, role:default/perf_admin, catalog.entity.create, create, allow
-    p, role:default/perf_admin, catalog.location.create, create, allow
-    p, role:default/perf_admin, catalog.location.read, read, allow
-    g, user:development/guest, role:default/perf_admin
+    p, role:default/a, kubernetes.proxy, use, allow
+    p, role:default/a, catalog-entity, read, allow
+    p, role:default/a, catalog.entity.create, create, allow
+    p, role:default/a, catalog.location.create, create, allow
+    p, role:default/a, catalog.location.read, read, allow
+    g, user:default/guru, role:default/a
+    g, user:development/guest, role:default/a
diff --git a/ci-scripts/rhdh-setup/template/component/api.template b/ci-scripts/rhdh-setup/template/component/api.template
index 42ef87c..e2b4780 100644
--- a/ci-scripts/rhdh-setup/template/component/api.template
+++ b/ci-scripts/rhdh-setup/template/component/api.template
@@ -7,6 +7,6 @@ metadata:
 spec:
   type: openapi
   lifecycle: production
-  owner: group${grp_indx}
+  owner: g${grp_indx}
   definition:
     $text: https://github.com/APIs-guru/openapi-directory/blob/main/APIs/archive.org/wayback/1.0.0/openapi.yaml
diff --git a/ci-scripts/rhdh-setup/template/component/component.template b/ci-scripts/rhdh-setup/template/component/component.template
index 34f94c6..37bfe2c 100644
--- a/ci-scripts/rhdh-setup/template/component/component.template
+++ b/ci-scripts/rhdh-setup/template/component/component.template
@@ -7,5 +7,5 @@ metadata:
 spec:
   type: library
   lifecycle: experimental
-  owner: group${grp_indx}
+  owner: g${grp_indx}
   system: audio-playback
diff --git a/ci-scripts/rhdh-setup/template/keycloak/keycloakUser.yaml b/ci-scripts/rhdh-setup/template/keycloak/keycloakUser.yaml
index 9c04508..4254be8 100644
--- a/ci-scripts/rhdh-setup/template/keycloak/keycloakUser.yaml
+++ b/ci-scripts/rhdh-setup/template/keycloak/keycloakUser.yaml
@@ -1,7 +1,7 @@
 apiVersion: keycloak.org/v1alpha1
 kind: KeycloakUser
 metadata:
-  name: demo
+  name: guru
   labels:
     app: sso
 spec:
@@ -9,9 +9,13 @@ spec:
     matchLabels:
       app: sso
   user:
-    username: demo
-    firstName: John
-    lastName: Doe
-    email: demo@example.com
+    username: guru
+    firstName: Guru
+    lastName: RHDH Admin
+    email: guru@test.com
     enabled: true
-    emailVerified: false
+    emailVerified: true
+    temporary: false
+    credentials:
+      - type: password
+        value: ${KEYCLOAK_USER_PASS}