feat(backstage): enable pod deletion, improve RBAC and Kubernetes metadata integration

- Added pod deletion support in Backstage Kubernetes plugin (frontend.podDelete.enabled)
- Set serviceAccountNamespace to backstage-system in clusterLocator config
- Enhanced RBAC to allow Backstage to delete pods using a new ClusterRole
- Labeled pods and deployments for improved entity linking in Backstage
- Adjusted catalog rules and template ownership for xqueue-claim scaffolder

Author: wnqueiroz

.bootstrap/backstage/manifests/deployment.yaml

@@ -3,6 +3,10 @@ kind: Deployment
 metadata:
   name: backstage
   namespace: backstage-system
+  labels:
+    app: backstage
+    backstage.io/kubernetes-id: backstage
+    backstage.io/kubernetes-namespace: backstage-system
 spec:
   replicas: 1
   selector:
@@ -13,7 +17,9 @@ spec:
       labels:
         app: backstage
         backstage.io/kubernetes-id: backstage
+        backstage.io/kubernetes-namespace: backstage-system
     spec:
+      serviceAccountName: backstage-user
       containers:
         - name: backstage
           image: backstage:latest
@@ -28,12 +34,22 @@ spec:
                 name: postgres-secrets
             - secretRef:
                 name: backstage-secrets
+          env:
+            - name: SERVICE_ACCOUNT_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: backstage-token
+                  key: token
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: postgres
   namespace: backstage-system
+  labels:
+    app: postgres
+    backstage.io/kubernetes-id: backstage-postgres
+    backstage.io/kubernetes-namespace: backstage-system
 spec:
   replicas: 1
   selector:
@@ -43,7 +59,8 @@ spec:
     metadata:
       labels:
         app: postgres
-        backstage.io.kubernetes-id: backstage-postgres
+        backstage.io/kubernetes-id: backstage-postgres
+        backstage.io/kubernetes-namespace: backstage-system
     spec:
       containers:
         - name: postgres

.bootstrap/backstage/manifests/rbac.yaml

@@ -70,3 +70,25 @@ subjects:
   - kind: ServiceAccount
     name: backstage-user
     namespace: backstage-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: backstage-k8s-pod-actions
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backstage-k8s-pod-actions-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: backstage-k8s-pod-actions
+subjects:
+  - kind: ServiceAccount
+    name: backstage-user
+    namespace: backstage-system

.bootstrap/backstage/up.sh

@@ -45,21 +45,6 @@ kind load docker-image "$IMAGE" --name "$CLUSTER_NAME"
 echo "Applying manifests from $MANIFESTS_DIR..."
 kubectl apply -f "$MANIFESTS_DIR" --recursive --namespace "$NS"
 
-# Wait for the ServiceAccount Secret to be created
-echo "Waiting for backstage-token to be created..."
-until kubectl get secret -n "$NS" backstage-token >/dev/null 2>&1; do
-    sleep 1
-done
-
-# Injecting SERVICE_ACCOUNT_TOKEN into backstage-secrets...
-echo "Injecting SERVICE_ACCOUNT_TOKEN into backstage-secrets..."
-SERVICE_ACCOUNT_TOKEN=$(kubectl get secret -n "$NS" backstage-token -o jsonpath='{.data.token}' | base64 --decode)
-
-kubectl patch secret backstage-secrets \
-    -n "$NS" \
-    --type='merge' \
-    -p "{\"data\": {\"SERVICE_ACCOUNT_TOKEN\": \"$(echo -n "$SERVICE_ACCOUNT_TOKEN" | base64)\"}}"
-
 # Wait for postgres deployment to be ready
 echo "Waiting for postgres deployment to be ready..."
 kubectl rollout status deployment/postgres -n "$NS" --timeout=120s || {

backstage/app-config.production.yaml

@@ -53,18 +53,23 @@ catalog:
     entityFilename: catalog-info.yaml
     pullRequestBranchName: backstage-integration
   rules:
-    - allow: ['*']
+    - allow: [Component, System, API, Resource, Location]
   locations:
     # All Templates
     - type: url
       target: https://github.com/wnqueiroz/platform-engineering-backstack/blob/main/backstage/catalog/all.yaml
+      rules:
+        - allow: [Template, System, User, Group]
 
   # Experimental: Always use the search method in UrlReaderProcessor.
   # New adopters are encouraged to enable it as this behavior will be the default in a future release.
   useUrlReadersSearch: true
 
 kubernetes:
   # see https://backstage.io/docs/features/kubernetes/configuration for kubernetes configuration options
+  frontend:
+    podDelete:
+      enabled: true
   serviceLocatorMethod:
     type: 'multiTenant'
   clusterLocatorMethods:
@@ -76,3 +81,4 @@ kubernetes:
           skipTLSVerify: true
           skipMetricsLookup: true
           serviceAccountToken: ${SERVICE_ACCOUNT_TOKEN}
+          serviceAccountNamespace: backstage-system

backstage/app-config.yaml

@@ -76,11 +76,13 @@ catalog:
     entityFilename: catalog-info.yaml
     pullRequestBranchName: backstage-integration
   rules:
-    - allow: ['*']
+    - allow: [Component, System, API, Resource, Location]
   locations:
     # All Templates
     - type: url
       target: https://github.com/wnqueiroz/platform-engineering-backstack/blob/main/backstage/catalog/all.yaml
+      rules:
+        - allow: [Template, System, User, Group]
 
     # Local example data, file locations are relative to the backend process, typically `packages/backend`
     - type: file
@@ -113,6 +115,9 @@ catalog:
 
 kubernetes:
   # see https://backstage.io/docs/features/kubernetes/configuration for kubernetes configuration options
+  frontend:
+    podDelete:
+      enabled: true
   serviceLocatorMethod:
     type: 'multiTenant'
   clusterLocatorMethods:
@@ -124,6 +129,7 @@ kubernetes:
           skipTLSVerify: true
           skipMetricsLookup: true
           serviceAccountToken: ${SERVICE_ACCOUNT_TOKEN}
+          serviceAccountNamespace: backstage-system
 
 # see https://backstage.io/docs/permissions/getting-started for more on the permission framework
 permission:

backstage/catalog/templates/xqueue-claim/template.yaml

@@ -5,7 +5,7 @@ metadata:
   title: Create XQueue Claim
   description: Creates a Crossplane XQueueClaim and opens a PR with the YAML.
 spec:
-  owner: user:guest
+  owner: guests
   type: infrastructure
 
   parameters: