@@ -19,11 +19,29 @@ The Diamond Light Source developer portal, built with backstage for deployment o
1919- Set ` remote.containers.dockerPath ` to ` podman `
2020- Set ` remote.containers.dockerComposePath ` to your ` docker-compose `
2121- Disable buildkit by adding ` export DOCKER_BUILDKIT=0 ` to your ` ~/.bashrc `
22- - Open Development Container
2322- Create a ` .env ` file in the ` .devcontainer ` directory containing the [ necessary secrets] ( #necessary-secrets )
23+ - Open Development Container
2424- Install package dependencies with ` yarn --cwd backstage install `
2525- Start the app, with ` yarn --cwd backstage dev `
2626
27+ ## Contributing changes
28+
29+ The following can be run locally to see if changes will pass CI
30+
31+ - ` yarn --cwd backstage run test `
32+ - ` a ` when prompted to run all tests
33+ - ` yarn --cwd backstage run prettier . --check `
34+ - ` yarn --cwd backstage run tsc `
35+ - ` yarn --cwd backstage backstage-cli repo lint `
36+
37+ ## Updating Backstage version
38+
39+ After package install, backstage package dependencies can be updated with
40+
41+ ` yarn --cwd backstage backstage-cli versions:bump `
42+
43+ https://backstage.io/docs/getting-started/keeping-backstage-updated
44+
2745## Deploying on Kubernetes (Diamond Light Source)
2846
2947- Access the cluster with ` module load argus `
@@ -53,3 +71,64 @@ In order to deploy this application, the following secrets are required
5371 - ` s3:ListBucket `
5472 - ` s3:GetObject `
5573- ` AWS_SECRET_ACCESS_KEY ` - the corresponding AWS S3 bucket access key secret
74+
75+ ## Updating API Tokens
76+
77+ The portal uses GitHub and GitLab API tokens to query repositories, search for
78+ ` catalog.info ` files and populate the catalog. These tokens expire after a configurable
79+ period - generally 3 months. Tokens must be rolled over before this time elapses for the
80+ catalog to continue updating, which requires updating the sealed secrets in the values
81+ file for the specific deployment. There are two scripts to automate this process. They
82+ each print an encrypted token that is safe to commit and push to GitHub.
83+
84+ ### GitLab API Token
85+
86+ The GitLab API token is maintaine under a machine user account and can be rotated via a
87+ POST request with the existing token. There are separate tokens for dev-portal and
88+ dev-portal-dev. The script works for both depending on which cluster is currently
89+ active. To rotate the dev-portal token, run
90+
91+ ``` bash
92+ $ module load argus
93+ $ util/rotate-gitlab-token.sh
94+ New encrypted gitlab-token for developer-portal-backend:
95+ < encrypted-token>
96+ ```
97+
98+ or for the dev-portal-dev token
99+
100+ ``` bash
101+ $ module load pollux
102+ $ util/rotate-gitlab-token.sh
103+ New encrypted gitlab-token for developer-portal-dev-backend:
104+ < encrypted-token>
105+ ```
106+
107+ ### GitHub API Token
108+
109+ The GitHub API token is slightly more complicated. Currently it is linked to a user
110+ account and needs to be manually rotated and copied in the user GitHub developer tools
111+ settings. The same token is used for both dev-portal and dev-portal-dev, but the
112+ SealedSecret needs to be encrypted by the specific cluster it will be applied to.
113+ Again the script will handle this if the correct cluster is active. To update the
114+ dev-portal token, run
115+
116+ ``` bash
117+ $ module load argus
118+ $ util/encrypt-github-token.sh < unencrypted-token>
119+ New encrypted github-token for developer-portal-backend:
120+ < encrypted-token>
121+ ```
122+
123+ or for the dev-portal-dev token
124+
125+ ``` bash
126+ $ module load pollux
127+ $ util/encrypt-github-token.sh < unencrypted-token>
128+ New encrypted github-token for developer-portal-backend:
129+ < encrypted-token>
130+ ```
131+
132+ Note the whitespace before the command can prevent the unencrypted token being stored in
133+ your shell history (requires ` HIST_IGNORE_SPACE ` for zsh or ` HISTCONTROL=ignorespace `
134+ for bash).
0 commit comments