rm3l/backstage-with-sidecar-container-0.2.0.yaml

## backstage-with-sidecar-container-0.2.0.yaml
---
apiVersion: rhdh.redhat.com/v1alpha1
kind: Backstage
metadata:
  name: backstage-with-sidecar
spec:
  # TODO: you may want to add app-config files, dynamic plugins config, extra env vars, etc. in the 'application' field.
  # application: {}
  rawRuntimeConfig:
    backstageConfig: backstage-with-sidecar-runtime-config

---
apiVersion: v1
kind: Secret
metadata:
  name: backstage-with-sidecar-app-secrets
stringData:
  OAUTH2_PROXY_CLIENT_ID: "my-oauth2-proxy-client-id"
  OAUTH2_PROXY_CLIENT_SECRET: "my-oauth2-proxy-client-secret"
  OAUTH2_PROXY_COOKIE_SECRET: "my-oauth2-proxy-cookie-secret"
  OAUTH2_PROXY_OIDC_ISSUER_URL: "my-oauth2-proxy-oidc-issuer-url"
  OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY: "true"

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: backstage-with-sidecar-runtime-config
data:
  deployment.yaml: |-
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: backstage # placeholder for 'backstage-<cr-name>'
    spec:
      replicas: 1
      selector:
        matchLabels:
          rhdh.redhat.com/app:  # placeholder for 'backstage-<cr-name>'
      template:
        metadata:
          labels:
            rhdh.redhat.com/app:  # placeholder for 'backstage-<cr-name>'
        spec:
          automountServiceAccountToken: false
          # if securityContext not present in AKS/EKS, the error is like this:
          #Error: EACCES: permission denied, open '/dynamic-plugins-root/backstage-plugin-scaffolder-backend-module-github-dynamic-0.2.2.tgz'
          # fsGroup doesn not work for Openshift
          #securityContext:
          #   fsGroup: 1001
          volumes:
            - ephemeral:
                volumeClaimTemplate:
                  spec:
                    accessModes:
                      - ReadWriteOnce
                    resources:
                      requests:
                        storage: 2Gi
              name: dynamic-plugins-root
            - name: dynamic-plugins-npmrc
              secret:
                defaultMode: 420
                optional: true
                secretName: dynamic-plugins-npmrc
          initContainers:
            - name: install-dynamic-plugins
              command:
                - ./install-dynamic-plugins.sh
                - /dynamic-plugins-root
              image: quay.io/janus-idp/backstage-showcase:latest # will be replaced with the actual image quay.io/janus-idp/backstage-showcase:next
              imagePullPolicy: IfNotPresent
              securityContext:
                runAsNonRoot: true
                allowPrivilegeEscalation: false
              env:
                - name: NPM_CONFIG_USERCONFIG
                  value: /opt/app-root/src/.npmrc.dynamic-plugins
              volumeMounts:
                - mountPath: /dynamic-plugins-root
                  name: dynamic-plugins-root
                - mountPath: /opt/app-root/src/.npmrc.dynamic-plugins
                  name: dynamic-plugins-npmrc
                  readOnly: true
                  subPath: .npmrc
              workingDir: /opt/app-root/src
              resources:
                requests:
                  cpu: 250m
                  memory: 256Mi
                limits:
                  cpu: 1000m
                  memory: 2.5Gi
                  ephemeral-storage: 5Gi
          containers:
            - name: backstage-backend
              # image will be replaced by the value of the `RELATED_IMAGE_backstage` env var, if set
              image: quay.io/janus-idp/backstage-showcase:latest
              imagePullPolicy: IfNotPresent
              args:
                - "--config"
                - "dynamic-plugins-root/app-config.dynamic-plugins.yaml"
              securityContext:
                runAsNonRoot: true
                allowPrivilegeEscalation: false
              readinessProbe:
                failureThreshold: 3
                httpGet:
                  path: /healthcheck
                  port: 7007
                  scheme: HTTP
                initialDelaySeconds: 30
                periodSeconds: 10
                successThreshold: 2
                timeoutSeconds: 2
              livenessProbe:
                failureThreshold: 3
                httpGet:
                  path: /healthcheck
                  port: 7007
                  scheme: HTTP
                initialDelaySeconds: 60
                periodSeconds: 10
                successThreshold: 1
                timeoutSeconds: 2
              ports:
                - name: backend
                  containerPort: 7007
              env:
                - name: APP_CONFIG_backend_listen_port
                  value: "7007"
              volumeMounts:
                - mountPath: /opt/app-root/src/dynamic-plugins-root
                  name: dynamic-plugins-root
              resources:
                requests:
                  cpu: 250m
                  memory: 256Mi
                limits:
                  cpu: 1000m
                  memory: 2.5Gi
                  ephemeral-storage: 5Gi

            # oauth2 sidecar container
            - args:
                - '--provider=oidc'
                - '--email-domain=*'
                - '--upstream=http://localhost:7007'
                - '--http-address=0.0.0.0:4180'
                - '--skip-provider-button'
                - '--insecure-oidc-allow-unverified-email=true'
                - '--pass-access-token=true'
                - '--pass-user-headers=true'
              envFrom:
                - secretRef:
                    name: backstage-with-sidecar-app-secrets
              image: 'quay.io/oauth2-proxy/oauth2-proxy:latest'
              imagePullPolicy: IfNotPresent
              name: oauth2-proxy
              ports:
                - containerPort: 4180
                  name: oauth2-proxy
                  protocol: TCP
	---
	apiVersion: rhdh.redhat.com/v1alpha1
	kind: Backstage
	metadata:
	name: backstage-with-sidecar
	spec:
	# TODO: you may want to add app-config files, dynamic plugins config, extra env vars, etc. in the 'application' field.
	# application: {}
	rawRuntimeConfig:
	backstageConfig: backstage-with-sidecar-runtime-config

	---
	apiVersion: v1
	kind: Secret
	metadata:
	name: backstage-with-sidecar-app-secrets
	stringData:
	OAUTH2_PROXY_CLIENT_ID: "my-oauth2-proxy-client-id"
	OAUTH2_PROXY_CLIENT_SECRET: "my-oauth2-proxy-client-secret"
	OAUTH2_PROXY_COOKIE_SECRET: "my-oauth2-proxy-cookie-secret"
	OAUTH2_PROXY_OIDC_ISSUER_URL: "my-oauth2-proxy-oidc-issuer-url"
	OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY: "true"

	---
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: backstage-with-sidecar-runtime-config
	data:
	deployment.yaml: \|-
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: backstage # placeholder for 'backstage-<cr-name>'
	spec:
	replicas: 1
	selector:
	matchLabels:
	rhdh.redhat.com/app: # placeholder for 'backstage-<cr-name>'
	template:
	metadata:
	labels:
	rhdh.redhat.com/app: # placeholder for 'backstage-<cr-name>'
	spec:
	automountServiceAccountToken: false
	# if securityContext not present in AKS/EKS, the error is like this:
	#Error: EACCES: permission denied, open '/dynamic-plugins-root/backstage-plugin-scaffolder-backend-module-github-dynamic-0.2.2.tgz'
	# fsGroup doesn not work for Openshift
	#securityContext:
	# fsGroup: 1001
	volumes:
	- ephemeral:
	volumeClaimTemplate:
	spec:
	accessModes:
	- ReadWriteOnce
	resources:
	requests:
	storage: 2Gi
	name: dynamic-plugins-root
	- name: dynamic-plugins-npmrc
	secret:
	defaultMode: 420
	optional: true
	secretName: dynamic-plugins-npmrc
	initContainers:
	- name: install-dynamic-plugins
	command:
	- ./install-dynamic-plugins.sh
	- /dynamic-plugins-root
	image: quay.io/janus-idp/backstage-showcase:latest # will be replaced with the actual image quay.io/janus-idp/backstage-showcase:next
	imagePullPolicy: IfNotPresent
	securityContext:
	runAsNonRoot: true
	allowPrivilegeEscalation: false
	env:
	- name: NPM_CONFIG_USERCONFIG
	value: /opt/app-root/src/.npmrc.dynamic-plugins
	volumeMounts:
	- mountPath: /dynamic-plugins-root
	name: dynamic-plugins-root
	- mountPath: /opt/app-root/src/.npmrc.dynamic-plugins
	name: dynamic-plugins-npmrc
	readOnly: true
	subPath: .npmrc
	workingDir: /opt/app-root/src
	resources:
	requests:
	cpu: 250m
	memory: 256Mi
	limits:
	cpu: 1000m
	memory: 2.5Gi
	ephemeral-storage: 5Gi
	containers:
	- name: backstage-backend
	# image will be replaced by the value of the `RELATED_IMAGE_backstage` env var, if set
	image: quay.io/janus-idp/backstage-showcase:latest
	imagePullPolicy: IfNotPresent
	args:
	- "--config"
	- "dynamic-plugins-root/app-config.dynamic-plugins.yaml"
	securityContext:
	runAsNonRoot: true
	allowPrivilegeEscalation: false
	readinessProbe:
	failureThreshold: 3
	httpGet:
	path: /healthcheck
	port: 7007
	scheme: HTTP
	initialDelaySeconds: 30
	periodSeconds: 10
	successThreshold: 2
	timeoutSeconds: 2
	livenessProbe:
	failureThreshold: 3
	httpGet:
	path: /healthcheck
	port: 7007
	scheme: HTTP
	initialDelaySeconds: 60
	periodSeconds: 10
	successThreshold: 1
	timeoutSeconds: 2
	ports:
	- name: backend
	containerPort: 7007
	env:
	- name: APP_CONFIG_backend_listen_port
	value: "7007"
	volumeMounts:
	- mountPath: /opt/app-root/src/dynamic-plugins-root
	name: dynamic-plugins-root
	resources:
	requests:
	cpu: 250m
	memory: 256Mi
	limits:
	cpu: 1000m
	memory: 2.5Gi
	ephemeral-storage: 5Gi

	# oauth2 sidecar container
	- args:
	- '--provider=oidc'
	- '--email-domain=*'
	- '--upstream=http://localhost:7007'
	- '--http-address=0.0.0.0:4180'
	- '--skip-provider-button'
	- '--insecure-oidc-allow-unverified-email=true'
	- '--pass-access-token=true'
	- '--pass-user-headers=true'
	envFrom:
	- secretRef:
	name: backstage-with-sidecar-app-secrets
	image: 'quay.io/oauth2-proxy/oauth2-proxy:latest'
	imagePullPolicy: IfNotPresent
	name: oauth2-proxy
	ports:
	- containerPort: 4180
	name: oauth2-proxy
	protocol: TCP