park commit

Signed-off-by: skestwal <skestwal@redhat.com>

Author: shashankkestwal

ci-scripts/rhdh-setup/create_resource.sh

@@ -499,13 +499,48 @@ log_token_err() {
 }
 
 keycloak_token() {
+  local keycloak_pass=$1
+
+  # Log the start of token retrieval
+  echo "{\"level\":\"info\",\"ts\":\"$(date -u -Ins)\",\"message\":\"Starting Keycloak token retrieval\"}" >> "$TMP_DIR/gather_token.log"
+
   client_secret=$(oc -n "${RHDH_NAMESPACE}" get secret keycloak-client-secret-backstage -o template --template='{{.data.CLIENT_SECRET}}' | base64 -d)
-  curl -s -k "$(keycloak_url)/realms/backstage/protocol/openid-connect/token" \
+
+  local token_url="$(keycloak_url)/realms/backstage/protocol/openid-connect/token"
+  echo "{\"level\":\"info\",\"ts\":\"$(date -u -Ins)\",\"token_url\":\"$token_url\",\"message\":\"Making Keycloak token request\"}" >> "$TMP_DIR/gather_token.log"
+
+  # Capture both response and HTTP status
+  local token_response=$(curl -s -k -w "HTTPSTATUS:%{http_code}" "$token_url" \
     -d username=guru \
-    -d "password=$1" \
+    -d "password=$keycloak_pass" \
     -d 'grant_type=password' \
     -d 'client_id=backstage' \
-    -d "client_secret=$client_secret" | jq -r ".expires_in_timestamp = $(python3 -c 'from datetime import datetime, timedelta; t_add=int(30); print(int((datetime.now() + timedelta(seconds=t_add)).timestamp()))')"
+    -d "client_secret=$client_secret")
+
+  # Extract HTTP status code
+  local http_code=$(echo "$token_response" | tr -d '\n' | sed -e 's/.*HTTPSTATUS://')
+
+  # Extract response body
+  local response_body=$(echo "$token_response" | sed -e 's/HTTPSTATUS:.*//g')
+
+  # Log the complete token response
+  echo "{\"level\":\"info\",\"ts\":\"$(date -u -Ins)\",\"http_code\":\"$http_code\",\"token_url\":\"$token_url\",\"response_body\":$(echo "$response_body" | jq -c '.' 2>/dev/null || echo "\"$response_body\"")}" >> "$TMP_DIR/gather_token.log"
+
+  # Check for error status codes
+  if [ "$http_code" -eq 401 ]; then
+    echo "{\"level\":\"error\",\"ts\":\"$(date -u -Ins)\",\"http_code\":\"$http_code\",\"message\":\"UNAUTHORIZED - Invalid credentials for Keycloak token\",\"token_url\":\"$token_url\"}" >> "$TMP_DIR/gather_token.log"
+  elif [ "$http_code" -eq 403 ]; then
+    echo "{\"level\":\"error\",\"ts\":\"$(date -u -Ins)\",\"http_code\":\"$http_code\",\"message\":\"FORBIDDEN - Client not authorized for Keycloak token\",\"token_url\":\"$token_url\"}" >> "$TMP_DIR/gather_token.log"
+  elif [ "$http_code" -eq 400 ]; then
+    echo "{\"level\":\"error\",\"ts\":\"$(date -u -Ins)\",\"http_code\":\"$http_code\",\"message\":\"BAD REQUEST - Invalid token request parameters\",\"token_url\":\"$token_url\"}" >> "$TMP_DIR/gather_token.log"
+  elif [ "$http_code" -ge 400 ]; then
+    echo "{\"level\":\"error\",\"ts\":\"$(date -u -Ins)\",\"http_code\":\"$http_code\",\"message\":\"HTTP ERROR - Keycloak token request failed\",\"token_url\":\"$token_url\"}" >> "$TMP_DIR/gather_token.log"
+  else
+    echo "{\"level\":\"info\",\"ts\":\"$(date -u -Ins)\",\"message\":\"Keycloak token response received\",\"http_code\":\"$http_code\"}" >> "$TMP_DIR/gather_token.log"
+  fi
+
+  # Process the response
+  echo "$response_body" | jq -r ".expires_in_timestamp = $(python3 -c 'from datetime import datetime, timedelta; t_add=int(30); print(int((datetime.now() + timedelta(seconds=t_add)).timestamp()))')"
 }
 
 rhdh_token() {
@@ -516,29 +551,56 @@ rhdh_token() {
   REALM="backstage"
   CLIENTID="backstage"
 
+  # Log the start of RHDH token retrieval
+  echo "{\"level\":\"info\",\"ts\":\"$(date -u -Ins)\",\"message\":\"Starting RHDH token retrieval\",\"auth_provider\":\"$AUTH_PROVIDER\"}" >> "$TMP_DIR/gather_token.log"
+
   if [[ "${AUTH_PROVIDER}" != "keycloak" ]]; then
-    # Corrected jq command for non-keycloak provider
-    ACCESS_TOKEN=$(curl -s -k --cookie "$COOKIE" --cookie-jar "$COOKIE" "$(backstage_url)/api/auth/guest/refresh" | jq -r ".backstageIdentity | .expires_in_timestamp = $(python3 -c 'from datetime import datetime, timedelta; t_add=int(50*60); print(int((datetime.now() + timedelta(seconds=t_add)).timestamp()))')")
+    # Log guest refresh attempt
+    local guest_url="$(backstage_url)/api/auth/guest/refresh"
+    echo "{\"level\":\"info\",\"ts\":\"$(date -u -Ins)\",\"message\":\"Using guest authentication\",\"refresh_url\":\"$guest_url\"}" >> "$TMP_DIR/gather_token.log"
+
+    ACCESS_TOKEN=$(curl -s -k --cookie "$COOKIE" --cookie-jar "$COOKIE" "$guest_url" | tee -a "$TMP_DIR/get_rhdh_token.log" | jq -r ".backstageIdentity | .expires_in_timestamp = $(python3 -c 'from datetime import datetime, timedelta; t_add=int(50*60); print(int((datetime.now() + timedelta(seconds=t_add)).timestamp()))')")
+    
+    echo "{\"level\":\"info\",\"ts\":\"$(date -u -Ins)\",\"message\":\"Guest token retrieved\",\"response_body\":$(echo "$ACCESS_TOKEN" | jq -c '.' 2>/dev/null || echo "\"$ACCESS_TOKEN\"")}" >> "$TMP_DIR/gather_token.log"
     echo "$ACCESS_TOKEN"
     return
   fi
 
+  echo "{\"level\":\"info\",\"ts\":\"$(date -u -Ins)\",\"message\":\"Making refresh URL call\",\"refresh_url\":\"$REFRESH_URL\"}" >> "$TMP_DIR/gather_token.log"
+
   LOGIN_URL=$(curl -I -k -sSL --dump-header "$TMP_DIR/login_url_headers.log" --cookie "$COOKIE" --cookie-jar "$COOKIE" "$REFRESH_URL")
   state=$(echo "$LOGIN_URL" | grep -oE 'state=[^&]+' | grep -oE '[^=]+$' | sed 's/%2F/\//g;s/%3A/:/g')
 
+  if [ -z "$state" ]; then
+    echo "{\"level\":\"error\",\"ts\":\"$(date -u -Ins)\",\"message\":\"Failed to extract state from refresh URL response\",\"refresh_url\":\"$REFRESH_URL\"}" >> "$TMP_DIR/gather_token.log"
+  else
+    echo "{\"level\":\"info\",\"ts\":\"$(date -u -Ins)\",\"message\":\"Extracted state from refresh response\",\"state\":\"$state\"}" >> "$TMP_DIR/gather_token.log"
+  fi
+
+  local keycloak_auth_url="$(keycloak_url)/realms/$REALM/protocol/openid-connect/auth"
+  echo "{\"level\":\"info\",\"ts\":\"$(date -u -Ins)\",\"message\":\"Making Keycloak auth URL call\",\"auth_url\":\"$keycloak_auth_url\"}" >> "$TMP_DIR/gather_token.log"
+
   AUTH_URL=$(curl -k -sSL --dump-header "$TMP_DIR/auth_url_headers.log" --get --cookie "$COOKIE" --cookie-jar "$COOKIE" \
     --data-urlencode "client_id=${CLIENTID}" \
     --data-urlencode "state=${state}" \
     --data-urlencode "redirect_uri=${REDIRECT_URL}" \
     --data-urlencode "scope=openid email profile" \
     --data-urlencode "response_type=code" \
-    "$(keycloak_url)/realms/$REALM/protocol/openid-connect/auth" 2>&1| tee "$TMP_DIR/auth_url.log" | grep -oE 'action="[^"]+"' | grep -oE '"[^"]+"' | tr -d '"')
+    "$keycloak_auth_url" 2>&1| tee "$TMP_DIR/auth_url.log" | grep -oE 'action="[^"]+"' | grep -oE '"[^"]+"' | tr -d '"')
+
+  if [ -z "$AUTH_URL" ]; then
+    echo "{\"level\":\"error\",\"ts\":\"$(date -u -Ins)\",\"message\":\"Failed to get auth URL from Keycloak\",\"auth_url\":\"$keycloak_auth_url\"}" >> "$TMP_DIR/gather_token.log"
+  else
+    echo "{\"level\":\"info\",\"ts\":\"$(date -u -Ins)\",\"message\":\"Received auth URL from Keycloak\"}" >> "$TMP_DIR/gather_token.log"
+  fi
 
   execution=$(echo "$AUTH_URL" | grep -oE 'execution=[^&]+' | grep -oE '[^=]+$')
   tab_id=$(echo "$AUTH_URL" | grep -oE 'tab_id=[^&]+' | grep -oE '[^=]+$')
   # shellcheck disable=SC2001
   AUTHENTICATE_URL=$(echo "$AUTH_URL" | sed -e 's/\&/\&/g')
 
+  echo "{\"level\":\"info\",\"ts\":\"$(date -u -Ins)\",\"message\":\"Making authentication call\"}" >> "$TMP_DIR/gather_token.log"
+
   CODE_URL=$(curl -k -sS --dump-header "$TMP_DIR/code_url_headers.log" --cookie "$COOKIE" --cookie-jar "$COOKIE" \
     --data-raw "username=${USERNAME}&password=${PASSWORD}&credentialId=" \
     --data-urlencode "client_id=${CLIENTID}" \
@@ -550,14 +612,33 @@ rhdh_token() {
   code=$(echo "$CODE_URL" | grep -oE 'code=[^&]+' | grep -oE '[^=]+$')
   session_state=$(echo "$CODE_URL" | grep -oE 'session_state=[^&]+' | grep -oE '[^=]+$')
 
+  if [ -z "$code" ]; then
+    echo "{\"level\":\"error\",\"ts\":\"$(date -u -Ins)\",\"message\":\"Failed to extract authorization code\"}" >> "$TMP_DIR/gather_token.log"
+  else
+    echo "{\"level\":\"info\",\"ts\":\"$(date -u -Ins)\",\"message\":\"Extracted authorization code\"}" >> "$TMP_DIR/gather_token.log"
+  fi
+
   # shellcheck disable=SC2001
   CODE_URL=$(echo "$CODE_URL" | sed -e 's/\&/\&/g')
 
+  # Log final token exchange call
+  echo "{\"level\":\"info\",\"ts\":\"$(date -u -Ins)\",\"message\":\"Making final token exchange\"}" >> "$TMP_DIR/gather_token.log"
+
   ACCESS_TOKEN=$(curl -k -sSL --dump-header "$TMP_DIR/get_rhdh_token_headers.log" --cookie "$COOKIE" --cookie-jar "$COOKIE" \
     --data-urlencode "code=$code" \
     --data-urlencode "session_state=$session_state" \
     --data-urlencode "state=$state" \
     "$CODE_URL" | tee -a "$TMP_DIR/get_rhdh_token.log" | jq ".backstageIdentity | .expires_in_timestamp = $(python3 -c 'from datetime import datetime, timedelta; t_add=int(30*60); print(int((datetime.now() + timedelta(seconds=t_add)).timestamp()))')")
+
+  # Log the complete RHDH token response
+  echo "{\"level\":\"info\",\"ts\":\"$(date -u -Ins)\",\"message\":\"RHDH token exchange complete\",\"response_body\":$(echo "$ACCESS_TOKEN" | jq -c '.' 2>/dev/null || echo "\"$ACCESS_TOKEN\"")}" >> "$TMP_DIR/gather_token.log"
+
+  if echo "$ACCESS_TOKEN" | jq -e '.token // .access_token' >/dev/null 2>&1; then
+    echo "{\"level\":\"info\",\"ts\":\"$(date -u -Ins)\",\"message\":\"RHDH token successfully retrieved\"}" >> "$TMP_DIR/gather_token.log"
+  else
+    echo "{\"level\":\"error\",\"ts\":\"$(date -u -Ins)\",\"message\":\"Failed to retrieve valid RHDH token\"}" >> "$TMP_DIR/gather_token.log"
+  fi
+
   echo "$ACCESS_TOKEN"
 }
 

ci-scripts/rhdh-setup/deploy.sh

@@ -300,8 +300,58 @@ create_objs() {
 
 get_catalog_entity_count() {
     entity_type=$1
+
+    # Log the start of catalog entity count retrieval
+    echo "{\"level\":\"info\",\"ts\":\"$(date -u -Ins)\",\"entity_type\":\"$entity_type\",\"message\":\"Starting catalog entity count retrieval\"}" >> "$TMP_DIR/catalog_sync.log"
+
+    # Get token and log the result
     ACCESS_TOKEN=$(get_token "rhdh")
-    curl -s -k "$(backstage_url)/api/catalog/entity-facets?facet=kind" --cookie "$COOKIE" --cookie-jar "$COOKIE" -H 'Content-Type: application/json' -H 'Authorization: Bearer '"$ACCESS_TOKEN" | tee -a "$TMP_DIR/get_$(echo "$entity_type" | tr '[:upper:]' '[:lower:]')_count.log" | jq -r '.facets.kind[] | select(.value == "'"$entity_type"'")| .count'
+    if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
+        echo "{\"level\":\"error\",\"ts\":\"$(date -u -Ins)\",\"entity_type\":\"$entity_type\",\"message\":\"Failed to obtain RHDH access token\"}" >> "$TMP_DIR/catalog_sync.log"
+        echo "0"
+        return
+    fi
+
+    # Log token preview
+    echo "{\"level\":\"info\",\"ts\":\"$(date -u -Ins)\",\"entity_type\":\"$entity_type\",\"message\":\"RHDH token obtained\",\"token_preview\":\"${ACCESS_TOKEN:0:20}...\"}" >> "$TMP_DIR/catalog_sync.log"
+
+    # Make the API call with detailed logging
+    local api_url="$(backstage_url)/api/catalog/entity-facets?facet=kind"
+    echo "{\"level\":\"info\",\"ts\":\"$(date -u -Ins)\",\"entity_type\":\"$entity_type\",\"api_url\":\"$api_url\",\"message\":\"Making catalog API call\"}" >> "$TMP_DIR/catalog_sync.log"
+
+    # Capture both response and HTTP status
+    local api_response=$(curl -s -k -w "HTTPSTATUS:%{http_code}" "$api_url" --cookie "$COOKIE" --cookie-jar "$COOKIE" -H 'Content-Type: application/json' -H 'Authorization: Bearer '"$ACCESS_TOKEN")
+
+    # Extract HTTP status code
+    local http_code=$(echo "$api_response" | tr -d '\n' | sed -e 's/.*HTTPSTATUS://')
+
+    # Extract response body
+    local response_body=$(echo "$api_response" | sed -e 's/HTTPSTATUS:.*//g')
+
+    # Log the complete API response
+    echo "{\"level\":\"info\",\"ts\":\"$(date -u -Ins)\",\"entity_type\":\"$entity_type\",\"http_code\":\"$http_code\",\"api_url\":\"$api_url\",\"response_body\":$(echo "$response_body" | jq -c '.' 2>/dev/null || echo "\"$response_body\"")}" >> "$TMP_DIR/catalog_sync.log"
+
+    # Check for error status codes
+    if [ "$http_code" -eq 401 ]; then
+        echo "{\"level\":\"error\",\"ts\":\"$(date -u -Ins)\",\"entity_type\":\"$entity_type\",\"http_code\":\"$http_code\",\"message\":\"UNAUTHORIZED - Token may be invalid or expired\",\"api_url\":\"$api_url\"}" >> "$TMP_DIR/catalog_sync.log"
+    elif [ "$http_code" -eq 403 ]; then
+        echo "{\"level\":\"error\",\"ts\":\"$(date -u -Ins)\",\"entity_type\":\"$entity_type\",\"http_code\":\"$http_code\",\"message\":\"FORBIDDEN - Token lacks required permissions\",\"api_url\":\"$api_url\"}" >> "$TMP_DIR/catalog_sync.log"
+    elif [ "$http_code" -eq 404 ]; then
+        echo "{\"level\":\"error\",\"ts\":\"$(date -u -Ins)\",\"entity_type\":\"$entity_type\",\"http_code\":\"$http_code\",\"message\":\"NOT FOUND - Catalog API endpoint not available\",\"api_url\":\"$api_url\"}" >> "$TMP_DIR/catalog_sync.log"
+    elif [ "$http_code" -ge 400 ]; then
+        echo "{\"level\":\"error\",\"ts\":\"$(date -u -Ins)\",\"entity_type\":\"$entity_type\",\"http_code\":\"$http_code\",\"message\":\"HTTP ERROR - API call failed\",\"api_url\":\"$api_url\"}" >> "$TMP_DIR/catalog_sync.log"
+    fi
+
+    # Parse and return the count
+    local count=$(echo "$response_body" | jq -r '.facets.kind[] | select(.value == "'"$entity_type"'")| .count' 2>/dev/null)
+    
+    # Also log to individual entity files
+    echo "$response_body" | tee -a "$TMP_DIR/get_$(echo "$entity_type" | tr '[:upper:]' '[:lower:]')_count.log" >/dev/null
+    
+    # Log the extracted count
+    echo "{\"level\":\"info\",\"ts\":\"$(date -u -Ins)\",\"entity_type\":\"$entity_type\",\"count\":\"${count:-0}\",\"message\":\"Entity count extracted\"}" >> "$TMP_DIR/catalog_sync.log"
+    
+    echo "${count:-0}"
 }
 
 backstage_install() {

ci-scripts/rhdh-setup/template/backstage/app-config.yaml

@@ -23,7 +23,7 @@ catalog:
         groupQuerySize: 1000
         schedule:
           frequency: 
-            hours: 2
+            minutes: 1
           timeout: 
             minutes: 1
           initialDelay: 

ci-scripts/rhdh-setup/template/backstage/helm/chart-values.yaml

@@ -8,25 +8,6 @@ global:
     plugins:
       - package: ./dynamic-plugins/dist/backstage-community-plugin-catalog-backend-module-keycloak-dynamic
         disabled: false
-        pluginConfig:
-          catalog:
-            providers:
-              keycloakOrg:
-                default:
-                  baseUrl: ${KEYCLOAK_BASE_URL}
-                  realm: ${KEYCLOAK_REALM}
-                  loginRealm: ${KEYCLOAK_LOGIN_REALM}
-                  clientId: ${CLIENT_ID}
-                  clientSecret: ${CLIENT_SECRET}
-                  userQuerySize: 1000
-                  groupQuerySize: 1000
-                  schedule:
-                    frequency:
-                      minutes: 30
-                    timeout:
-                      minutes: 1
-                    initialDelay:
-                      seconds: 15
       - package: ./dynamic-plugins/dist/backstage-community-plugin-analytics-provider-segment
         disabled: true
       # TechDocs

ci-scripts/rhdh-setup/template/keycloak/keycloakRealmImport.yaml

@@ -26,15 +26,15 @@ spec:
           - ${OAUTH2_REDIRECT_URI}
         serviceAccountsEnabled: true
         standardFlowEnabled: true
+        serviceAccount:
+          realmRoles:
+            - offline_access
+            - uma_authorization
         serviceAccountClientRoles:
           realm-management:
             - query-groups
             - query-users
             - view-users
-            - view-clients
-            - view-realm
-            - manage-users
-            - manage-clients
     users:
       - username: guru
         firstName: Guru

test.env

@@ -3,7 +3,7 @@
 # To override system environment variables, uncomment the variables down bellow. It will be sourced by the ci-scripts.
 
 ## Scenario
-# export SCENARIO=baseline-test
+export SCENARIO=mvp
 # export BASE_HOST=
 # export USERS=100
 # export WORKERS=5
@@ -12,20 +12,20 @@
 # export WAIT_FOR_SEARCH_INDEX=false
 
 ## RHDH database population
-# export PRE_LOAD_DB=true
-# export BACKSTAGE_USER_COUNT=1
-# export GROUP_COUNT=1
-# export API_COUNT=1
-# export COMPONENT_COUNT=1
-# export KEYCLOAK_USER_PASS=changeme
-# export AUTH_PROVIDER=keycloak
+export PRE_LOAD_DB=true
+export BACKSTAGE_USER_COUNT=7
+export GROUP_COUNT=6
+export API_COUNT=5
+export COMPONENT_COUNT=2
+export KEYCLOAK_USER_PASS=changeme
+export AUTH_PROVIDER=keycloak
 # export POPULATION_CONCURRENCY=10
 # export COMPONENT_SHARD_SIZE=500
 
 ## RHDH installed via Helm
-# export RHDH_INSTALL_METHOD=helm
-# export RHDH_NAMESPACE=rhdh-performance-helm
-# export RHDH_HELM_REPO=oci://quay.io/rhdh/chart
+export RHDH_INSTALL_METHOD=helm
+export RHDH_NAMESPACE=rhdh-performance-helm-rhbk
+export RHDH_HELM_REPO=oci://quay.io/rhdh/chart
 # export RHDH_HELM_CHART=redhat-developer-hub
 # export RHDH_HELM_CHART_VERSION= # auto-determined in deploy.sh if empty and based on RHDH_BASE_VERSION
 # export RHDH_HELM_RELEASE_NAME=rhdh
@@ -68,11 +68,11 @@
 # export LOCUST_EXTRA_CMD=--debug=true
 # export ARTIFACT_DIR=.artifacts
 # export ENABLE_RBAC=false
-# export ENABLE_ORCHESTRATOR=false
+export ENABLE_ORCHESTRATOR=true
 # export RBAC_POLICY=all_groups_admin
 # export RBAC_POLICY_SIZE=10000
 # export ENABLE_PROFILING=false
-# export RHDH_LOG_LEVEL=warn
+export RHDH_LOG_LEVEL=debug
 # export PSQL_LOG=true
 # export PSQL_EXPORT=false