Skip to main content
Version: next

Post-Installation Steps

Create Github OAuth App and set secrets in OpenBao

The Platform-Portal authenticates via GitHub OAuth App. you need to create an OAuth App in the Developer settings of your dedicated GitHub organization you created earlier.
Click the button "New OAuth App".

tip

For integrating the Portal via GitLab OAuth, please contact the kubriX support.

For Github Codespaces:

The URL of the Codespace has a random name and ID like https://crispy-robot-g44qvrx9jpx29xx7.github.dev/. Copy the hostname (codespace name) except ".github.dev" and set the URLs of the created OAuth App like this:

  • Homepage URL: <copied hostname>-6691.app.github.dev
  • Authorization callback URL: <copied hostname>-6691.app.github.dev/api/auth/github

For local KinD Cluster:

  • Homepage URL: https://backstage.127-0-0-1.nip.io
  • Authorization callback URL: https://backstage.127-0-0-1.nip.io/api/auth/github

For remote Kubernetes Cluster:

Example:

  • Homepage URL: backstage.demo-johnny.kubrix.cloud
  • Authorization callback URL: backstage.demo-johnny.kubrix.cloud/api/auth/github
image

After clicking "Register application", click on "Generate a new client secret".

image

Use the value of the "Client ID" for the variable GITHUB_CLIENTID in the step below. Use the generated client secret as the value for the variable GITHUB_CLIENTSECRET in the step below.

Then set GITHUB_CLIENTSECRET and GITHUB_CLIENTID from your Github OAuth App and set them in openbao via kubectl/curl:

export GITHUB_CLIENTID="<client-id-from-step-before>"
export GITHUB_CLIENTSECRET="<client-secret-from-step-before>"
export VAULT_HOSTNAME=$(kubectl get ingress -o jsonpath='{.items[*].spec.rules[*].host}' -n openbao)
export VAULT_TOKEN=$(kubectl get secret -n openbao openbao-init -o=jsonpath='{.data.root_token}'  | base64 -d)
curl -k --header "X-Vault-Token:$VAULT_TOKEN" --header "X-Vault-Namespace: kubrix"  --request PATCH --header "Content-Type: application/merge-patch+json" --data "{\"data\": {\"GITHUB_CLIENTSECRET\": \"${GITHUB_CLIENTSECRET}\", \"GITHUB_CLIENTID\": \"${GITHUB_CLIENTID}\"}}" https://${VAULT_HOSTNAME}/v1/kubrix-kv/data/portal/backstage/base
kubectl delete externalsecret -n backstage sx-cnp-secret
kubectl rollout restart deployment -n backstage sx-backstage

Create tokens for ArgoCD AppSet and GitOps promotion for newly onboarded teams

info

This step is not required now. When you onboard new teams to kubriX in the future, remember to also create the required tokens for ArgoCD AppSet and GitOps promotion.

Login

When kubriX installed sucessfully you can access the platform services via these URLs and login with these credentials:

ToolURLUsernamePassword
Backstagehttps://backstage.127-0-0-1.nip.iovia githubvia github
ArgoCDhttps://argocd.127-0-0-1.nip.io/adminkubectl get secret -n argocd argocd-initial-admin-secret -o=jsonpath='{.data.password}' | base64 -d
Kargohttps://kargo.127-0-0-1.nip.io-kubectl get secret -n kargo kargo-admin-secret -o=jsonpath='{.data.ADMIN_ACCOUNT_PASSWORD}' | base64 -d
Grafanahttps://grafana.127-0-0-1.nip.iokubectl get secret -n grafana grafana-admin-secret -o=jsonpath='{.data.userKey}' | base64 -dkubectl get secret -n grafana grafana-admin-secret -o=jsonpath='{.data.passwordKey}' | base64 -d
Keycloakhttps://keycloak.127-0-0-1.nip.ioadminkubectl get secret -n keycloak keycloak-admin -o=jsonpath='{.data.admin-password}' | base64 -d
FalcoUIhttps://falco.127-0-0-1.nip.iokubectl get secret -n falco falco-ui-creds -o=jsonpath='{.data.FALCOSIDEKICK_UI_USER}' | base64 -d | awk -F: '{print $1}'kubectl get secret -n falco falco-ui-creds -o=jsonpath='{.data.FALCOSIDEKICK_UI_USER}' | base64 -d | awk -F: '{print $2}'

Verify installation

Check if all ArgoCD applications are synced and healthy:

kubectl get applications -n argocd
warning

Known issue: The application sx-bootstrap-app can be OutOfSync periodically due to the sub-application sx-kyverno.
This will get fixed with https://github.com/suxess-it/kubriX/issues/1406

Next steps

Last updated on by Johannes Kleinlercher