redhat-appstudio
diff --git a/‎go.mod
Lines changed: 3 additions & 0 deletions b/‎go.mod
Lines changed: 3 additions & 0 deletions
diff --git a/‎go.sum
Lines changed: 8 additions & 0 deletions b/‎go.sum
Lines changed: 8 additions & 0 deletions
diff --git a/‎installer/charts/tssc-dh/templates/app-config-content.yaml
Lines changed: 30 additions & 8 deletions b/‎installer/charts/tssc-dh/templates/app-config-content.yaml
Lines changed: 30 additions & 8 deletions
diff --git a/‎installer/charts/tssc-dh/templates/extra-env.yaml
Lines changed: 2 additions & 0 deletions b/‎installer/charts/tssc-dh/templates/extra-env.yaml
Lines changed: 2 additions & 0 deletions
diff --git a/‎installer/charts/tssc-dh/templates/plugins-content.yaml
Lines changed: 7 additions & 2 deletions b/‎installer/charts/tssc-dh/templates/plugins-content.yaml
Lines changed: 7 additions & 2 deletions
diff --git a/‎installer/charts/values.yaml.tpl
Lines changed: 11 additions & 2 deletions b/‎installer/charts/values.yaml.tpl
Lines changed: 11 additions & 2 deletions
diff --git a/‎installer/config.yaml
Lines changed: 3 additions & 1 deletion b/‎installer/config.yaml
Lines changed: 3 additions & 1 deletion
diff --git a/‎pkg/integrations/gitlab.go
Lines changed: 50 additions & 2 deletions b/‎pkg/integrations/gitlab.go
Lines changed: 50 additions & 2 deletions
@@ -16,6 +16,7 @@ require (
 	github.com/quay/claircore v1.5.39
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/pflag v1.0.7
+	gitlab.com/gitlab-org/api/client-go v0.137.0
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.18.4
 	k8s.io/api v0.33.3
@@ -71,7 +72,9 @@ require (
 	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/invopop/jsonschema v0.13.0 // indirect
 
@@ -151,8 +151,14 @@ github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0/go.mod h1:qztMSjm835F2bXf+5HKA
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
+github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
+github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
+github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
+github.com/hashicorp/go-retryablehttp v0.7.8 h1:ylXZWnqa7Lhqpk0L1P1LzDtGcCR0rPVUrx/c8Unxc48=
+github.com/hashicorp/go-retryablehttp v0.7.8/go.mod h1:rjiScheydd+CxvumBsIrFKlx3iS0jrZ7LvzFGFmuKbw=
 github.com/hashicorp/golang-lru/arc/v2 v2.0.5 h1:l2zaLDubNhW4XO3LnliVj0GXO3+/CGNJAg1dcN2Fpfw=
 github.com/hashicorp/golang-lru/arc/v2 v2.0.5/go.mod h1:ny6zBSQZi2JxIeYcv7kt2sH2PXJtirBN7RDhRpxPkxU=
 github.com/hashicorp/golang-lru/v2 v2.0.5 h1:wW7h1TG88eUIJ2i69gaE3uNVtEPIagzhGvHgwfx2Vm4=
@@ -334,6 +340,8 @@ github.com/yosida95/uritemplate/v3 v3.0.2/go.mod h1:ILOh0sOhIJR3+L/8afwt/kE++YT0
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+gitlab.com/gitlab-org/api/client-go v0.137.0 h1:H26yL44qnb38Czl20pEINCJrcj63W6/BX8iKPVUKQP0=
+gitlab.com/gitlab-org/api/client-go v0.137.0/go.mod h1:AcAYES3lfkIS4zhso04S/wyUaWQmDYve2Fd9AF7C6qc=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/bridges/prometheus v0.57.0 h1:UW0+QyeyBVhn+COBec3nGhfnFe5lwB0ic1JBVjzhk0w=
 
@@ -18,6 +18,17 @@ app:
 {{- $azureSecretObj := (lookup "v1" "Secret" $integrationNamespace "tssc-azure-integration") }}
 {{- $azureSecretData := ($azureSecretObj.data | default dict) }}
 
+# Validation
+{{- if and (not $githubSecretObj) (eq .Values.developerHub.authProvider "github") }}
+  {{- fail (printf "Github Integration required for github auth provider") }}
+{{- else if and (not $gitlabSecretObj) (eq .Values.developerHub.authProvider "gitlab") }}
+  {{- fail (printf "Gitlab Integration required for gitlab auth provider") }}
+{{- else if and (not $azureSecretObj) (eq .Values.developerHub.authProvider "microsoft") }}
+  {{- fail (printf "Azure Integration required for microsoft auth provider") }}
+{{- else if not (has .Values.developerHub.authProvider (list "github" "gitlab" "microsoft")) }}
+  {{- fail (printf "Auth provider %s is not supported, set it to github, gitlab, or microsoft" .Values.developerHub.authProvider) }}
+{{- end }}
+
 {{- if $argocdSecretData }}
 argocd:
   appLocatorMethods:
@@ -43,7 +54,7 @@ auth:
   environment: production
   providers:
   {{- $signInPage := "" }}
-  {{- if $azureSecretData }}
+  {{- if eq .Values.developerHub.authProvider "microsoft" }}
     {{- if and $azureSecretData.clientId $azureSecretData.clientSecret $azureSecretData.tenantId }}
     {{- $signInPage = "microsoft" }}
     microsoft:
@@ -53,7 +64,7 @@ auth:
         tenantId: ${AZURE__TENANT__ID}
     {{- end }}
   {{- end }}
-  {{- if $githubSecretObj }}
+  {{- if eq .Values.developerHub.authProvider "github" }}
     {{- $signInPage = "github" }}
     github:
       production:
@@ -69,8 +80,8 @@ auth:
               dangerouslyAllowSignInWithoutUserInCatalog: true
       {{- end }}
   {{- end }}
-  {{- $gitlabSecretData := ($gitlabSecretObj.data | default dict) }}
-  {{- if $gitlabSecretData }}
+  {{- if eq .Values.developerHub.authProvider "gitlab" }}
+    {{- $gitlabSecretData := ($gitlabSecretObj.data | default dict) }}
     {{- if and $gitlabSecretData.clientId $gitlabSecretData.clientSecret }}
     {{- $signInPage = "gitlab" }}
     gitlab:
@@ -97,8 +108,10 @@ backend:
   cors:
     origin: ${BACKEND_URL}
 catalog:
-  {{- if and .Values.developerHub.RBAC.enabled $githubSecretObj }}
+  {{- if .Values.developerHub.RBAC.enabled }}
   providers:
+  {{- end }}
+  {{- if eq .Values.developerHub.authProvider "github" }}
     githubOrg:
       id: production
       githubUrl: ${GITHUB__URL}
@@ -109,6 +122,17 @@ catalog:
         frequency: { minutes: 15 }
         timeout: { minutes: 5 }
   {{- end }}
+  {{- if eq .Values.developerHub.authProvider "gitlab" }}
+    gitlab:
+      default:
+        host: ${GITLAB__HOST}
+        orgEnabled: true
+        group: ${GITLAB__GROUP}
+        schedule:
+          initialDelay: { seconds: 30 }
+          frequency: { minutes: 15 }
+          timeout: { minutes: 5 }
+  {{- end }}
   locations:
     - target: ${DEVELOPER_HUB__CATALOG__URL}
       type: url
@@ -174,17 +198,15 @@ jenkins:
 nexus:
   uiUrl: ${NEXUS__URL}
 {{- end }}
-{{- if .Values.developerHub.RBAC.enabled }}
+{{- if and .Values.developerHub.RBAC.enabled (has .Values.developerHub.authProvider (list "github" "gitlab")) }}
 permission:
   enabled: true
-  {{- if $githubSecretObj }}
   rbac:
     admin:
       users:
       {{- range .Values.developerHub.RBAC.adminUsers }}
         - name: user:default/{{ . }}
       {{- end }}
-  {{- end }}
 {{- else }}
 permission:
   enabled: false
 
@@ -74,9 +74,11 @@ data:
 {{- $glSecretObj := (lookup "v1" "Secret" $integrationNamespace "tssc-gitlab-integration") -}}
 {{- $glSecretData := ($glSecretObj.data | default dict) -}}
 {{- if $glSecretData }}
+    GITLAB__GROUP: "{{ $glSecretData.group }}"
     GITLAB__HOST: {{ $glSecretData.host }}
     GITLAB__TOKEN: "{{ $glSecretData.token }}"
     GITLAB__URL: {{ print "https://" ($glSecretData.host | b64dec) | b64enc }}
+    GITLAB__USERNAME: {{ $glSecretData.username }}
     {{- if and $glSecretData.clientId $glSecretData.clientSecret }}
     GITLAB__APP__CLIENT__ID: {{ $glSecretData.clientId }}
     GITLAB__APP__CLIENT__SECRET: {{ $glSecretData.clientSecret }}
 
@@ -178,17 +178,22 @@ plugins:
   #
   # RBAC
   #
-  {{- $githubSecretObj := (lookup "v1" "Secret" $integrationNamespace "tssc-github-integration") }}
-  {{- if and .Values.developerHub.RBAC.enabled $githubSecretObj }}
+  {{- if .Values.developerHub.RBAC.enabled }}
   - package: ./dynamic-plugins/dist/backstage-community-plugin-rbac
     disabled: false
+  {{- if eq .Values.developerHub.authProvider "github" }}
   - package: ./dynamic-plugins/dist/backstage-plugin-catalog-backend-module-github-org-dynamic
     disabled: false
     pluginConfig:
       catalog:
         githubOrg:
           githubUrl: ${GITHUB__URL}
   {{- end }}
+  {{- if eq .Values.developerHub.authProvider "gitlab" }}
+  - package: ./dynamic-plugins/dist/backstage-plugin-catalog-backend-module-gitlab-org-dynamic
+    disabled: false
+  {{- end }}
+  {{- end }}
   #
   # Tech Docs
   #
 
@@ -218,19 +218,28 @@ integrations:
 {{- $catalogURL := required "Red Hat Developer Hub Catalog URL is required"
     $rhdh.Properties.catalogURL }}
 
+{{- $authProvider := required "Auth Provider is required"
+    $rhdh.Properties.authProvider }}
+
+
 developerHub:
   namespace: {{ $rhdh.Namespace }}
   ingressDomain: {{ $ingressDomain }}
   catalogURL: {{ $catalogURL }}
+  authProvider: {{ $authProvider }}
   integrationSecrets:
     namespace: {{ .Installer.Namespace }}
   RBAC:
+    enabled: {{ dig "Properties" "RBAC" "enabled" false $rhdh }}
+{{- if eq $authProvider "github" }}
     adminUsers:
 {{ dig "Properties" "RBAC" "adminUsers" (list "${GITHUB__USERNAME}") $rhdh | toYaml | indent 6 }}
-    enabled: {{ dig "Properties" "RBAC" "enabled" false $rhdh }}
     orgs:
 {{ dig "Properties" "RBAC" "orgs" (list "${GITHUB__ORG}") $rhdh | toYaml | indent 6 }}
-
+{{- else if eq $authProvider "gitlab" }}
+    adminUsers:
+{{ dig "Properties" "RBAC" "adminUsers" (list "${GITLAB__USERNAME}") $rhdh | toYaml | indent 6 }}
+{{- end }}
 #
 # tssc-tpa-realm
 #
 
@@ -27,10 +27,12 @@ tssc:
         manageSubscription: true
         # namespacePrefixes:
         #   - tssc-app
+        authProvider: github
+        # Possible values: github, gitlab, microsoft
         # RBAC:
         #   adminUsers:
         #     - myUsername
-        #   enabled: false
+        #   enabled: true
         #   orgs:
         #     - myOrg
     advancedClusterSecurity:
 
@@ -2,13 +2,15 @@ package integrations
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"log/slog"
+	"net/http"
 
 	"github.com/redhat-appstudio/tssc/pkg/config"
 	"github.com/redhat-appstudio/tssc/pkg/k8s"
-
 	"github.com/spf13/cobra"
+	gitlab "gitlab.com/gitlab-org/api/client-go"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -22,7 +24,8 @@ type GitLabIntegration struct {
 	logger *slog.Logger // application logger
 	kube   *k8s.Kube    // kubernetes client
 
-	force bool // overwrite the existing secret
+	force    bool // overwrite the existing secret
+	insecure bool // Skips tls verification on api calls
 
 	host         string // GitLab host
 	clientId     string // GitLab application client id
@@ -37,6 +40,8 @@ func (g *GitLabIntegration) PersistentFlags(c *cobra.Command) {
 
 	p.BoolVar(&g.force, "force", g.force,
 		"Overwrite the existing secret")
+	p.BoolVar(&g.insecure, "insecure", g.insecure,
+		"Skips tls verification on api calls")
 
 	p.StringVar(&g.host, "host", g.host,
 		"GitLab host, defaults to 'gitlab.com'")
@@ -60,6 +65,7 @@ func (g *GitLabIntegration) PersistentFlags(c *cobra.Command) {
 func (g *GitLabIntegration) log() *slog.Logger {
 	return g.logger.With(
 		"force", g.force,
+		"insecure", g.insecure,
 		"host", g.host,
 		"clientId", g.clientId,
 		"clientSecret-len", len(g.clientSecret),
@@ -126,11 +132,51 @@ func (g *GitLabIntegration) prepareSecret(
 	return k8s.DeleteSecret(ctx, g.kube, g.secretName(cfg))
 }
 
+// getCurrentGitLabUser gets the current user name authenticated with access token
+func (g *GitLabIntegration) getCurrentGitLabUser() (string, error) {
+	url := fmt.Sprintf("https://%s", g.host)
+	logger := g.log()
+
+	cl, err := gitlab.NewClient(g.token, gitlab.WithBaseURL(url))
+	if err != nil {
+		logger.Error("Error building gitlab client")
+		return "", err
+	}
+
+	if g.insecure {
+		insecureTransport := &http.Transport{
+		    TLSClientConfig: &tls.Config{InsecureSkipVerify: true, MinVersion: tls.VersionTLS12},
+	    }
+
+	    hcl := &http.Client{Transport: insecureTransport}
+
+	    cl, err = gitlab.NewClient(g.token, gitlab.WithBaseURL(url), gitlab.WithHTTPClient(hcl))
+	    if err != nil {
+		    logger.Error("Error building gitlab client")
+		    return "", err
+	    }
+	}
+
+	user, _, err := cl.Users.CurrentUser()
+	if err != nil {
+		logger.Error("Error getting user")
+		return "", err
+	}
+
+	return user.Username, nil
+}
+
 // store creates the secret with the integration data.
 func (g *GitLabIntegration) store(
 	ctx context.Context,
 	cfg *config.Config,
 ) error {
+	// Getting the user name
+	username, err := g.getCurrentGitLabUser()
+	if err != nil {
+		return err
+	}
+
 	secret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: g.secretName(cfg).Namespace,
@@ -143,6 +189,7 @@ func (g *GitLabIntegration) store(
 			"host":         []byte(g.host),
 			"token":        []byte(g.token),
 			"group":        []byte(g.group),
+			"username":     []byte(username),
 		},
 	}
 	logger := g.log().With(
@@ -185,6 +232,7 @@ func NewGitLabIntegration(
 		kube:   kube,
 
 		force:        false,
+		insecure:     false,
 		host:         defaultPublicGitLabHost,
 		clientId:     "",
 		clientSecret: "",