app-config.yaml

# Base Backstage Configuration
#
# This file contains the base configuration with environment variable placeholders.
# Environment variables are used in Docker builds and production deployments.
#
# For local development with k3d cluster:
#   1. Copy the example file: cp app-config.local.yaml.example app-config.local.yaml
#   2. Run: yarn start
#   3. The app-config.local.yaml will automatically override values from this file
#
# Note: app-config.local.yaml is gitignored and won't affect Docker builds.
# Docker builds only use app-config.production.yaml.

# Use redirect-based OAuth flow instead of a popup window
# See https://backstage.io/docs/auth/#sign-in-configuration
enableExperimentalRedirectFlow: true

app:
  title: OpenChoreo Portal
  # Environment variable is injected by Helm chart (see https://github.com/openchoreo/openchoreo install/helm/openchoreo/templates/backstage/deployment.yaml)
  # For local k3d: http://openchoreo.localhost (set via https://github.com/openchoreo/openchoreo install/dev/openchoreo-values.yaml)
  # For production: external ingress URL (set via https://github.com/openchoreo/openchoreo install/helm/openchoreo/values.yaml backstage.baseUrl)
  baseUrl: ${BACKSTAGE_BASE_URL}

organization:
  name: OpenChoreo

backend:
  # Used for enabling authentication, secret is shared by all backend plugins
  # See https://backstage.io/docs/auth/service-to-service-auth for
  # information on the format
  # auth:
  #   keys:
  #     - secret: ${BACKEND_SECRET}
  auth:
    dangerouslyDisableDefaultAuthPolicy: true # TODO: Remove this when added auth properly
  # Environment variable is injected by Helm chart (see https://github.com/openchoreo/openchoreo install/helm/openchoreo/templates/backstage/deployment.yaml)
  # For local k3d: http://openchoreo.localhost (set via https://github.com/openchoreo/openchoreo install/dev/openchoreo-values.yaml)
  # For production: external ingress URL (set via https://github.com/openchoreo/openchoreo install/helm/openchoreo/values.yaml backstage.baseUrl)
  baseUrl: ${BACKSTAGE_BASE_URL}
  listen:
    port: 7007
    # Uncomment the following host directive to bind to specific interfaces
    # host: 127.0.0.1
  csp:
    connect-src: ["'self'", 'http:', 'https:']
    # Content-Security-Policy directives follow the Helmet format: https://helmetjs.github.io/#reference
    # Default Helmet Content-Security-Policy values can be removed by setting the key to false
  cors:
    origin: ${BACKSTAGE_BASE_URL}
    methods: [GET, HEAD, PATCH, POST, PUT, DELETE]
    credentials: true
  # This is for local development only, it is not recommended to use this in production
  # The production database configuration is stored in app-config.production.yaml
  database:
    client: better-sqlite3
    connection: ':memory:'
  # workingDirectory: /tmp # Use this to configure a working directory for the scaffolder, defaults to the OS temp-dir

integrations:
  github:
    - host: github.com
      # This is a Personal Access Token or PAT from GitHub. You can find out how to generate this token, and more information
      # about setting up the GitHub integration here: https://backstage.io/docs/integrations/github/locations#configuration
      token: ${GITHUB_TOKEN}
    ### Example for how to add your GitHub Enterprise instance using the API:
    # - host: ghe.example.net
    #   apiBaseUrl: https://ghe.example.net/api/v3
    #   token: ${GHE_TOKEN}

  # GitLab Integration (required for GitLab CI plugin)
  # Uncomment and configure in app-config.local.yaml if needed for local development
  # For production, this is configured via app-config.production.yaml with Helm-injected env vars
  # gitlab:
  #   - host: gitlab.com
  #     token: ${GITLAB_TOKEN}

# =====================================================================
# External CI Platform Configuration
# =====================================================================
# External CI integrations are controlled by environment variables.
# For local development, uncomment and configure in app-config.local.yaml.
# For production (Helm), configs are in app-config.production.yaml with env var placeholders.
#
# Entity annotations control which CI platform is shown for each component:
#   - Jenkins:        jenkins.io/job-full-name
#   - GitHub Actions: github.com/project-slug (uses integrations.github token)
#   - GitLab:         gitlab.com/project-slug or gitlab.com/project-id
# =====================================================================

# Jenkins Configuration
# Uncomment and configure in app-config.local.yaml if needed for local development
# jenkins:
#   baseUrl: ${JENKINS_BASE_URL}
#   username: ${JENKINS_USERNAME}
#   apiKey: ${JENKINS_API_KEY}

proxy:
  ### Example for how to add a proxy endpoint for the frontend.
  ### A typical reason to do this is to handle HTTPS and CORS for internal services.
  # endpoints:
  #   '/test':
  #     target: 'https://example.com'
  #     changeOrigin: true

# Reference documentation http://backstage.io/docs/features/techdocs/configuration
# Note: After experimenting with basic setup, use CI/CD to generate docs
# and an external cloud storage when deploying TechDocs for production use-case.
# https://backstage.io/docs/features/techdocs/how-to-guides#how-to-migrate-from-techdocs-basic-to-recommended-deployment-approach
techdocs:
  builder: 'local' # Alternatives - 'external'
  generator:
    runIn: 'docker' # Alternatives - 'local'
  publisher:
    type: 'local' # Alternatives - 'googleGcs' or 'awsS3'. Read documentation for using alternatives.

auth:
  # see https://backstage.io/docs/auth/ to learn about auth providers
  environment: development
  providers:
    # OpenChoreo Auth - Works with any OAuth2/OIDC-compliant identity provider
    # Environment variables are injected by Helm chart (see https://github.com/openchoreo/openchoreo install/helm/openchoreo/templates/backstage/deployment.yaml)
    #
    # Configuration modes:
    # 1. OIDC Discovery (preferred): Set metadataUrl to auto-discover endpoints
    # 2. Explicit URLs: Set authorizationUrl and tokenUrl directly
    # If both are set, explicit URLs take precedence over discovered values
    openchoreo-auth:
      development:
        clientId: ${OPENCHOREO_AUTH_CLIENT_ID}
        clientSecret: ${OPENCHOREO_AUTH_CLIENT_SECRET}
        # OIDC Discovery URL (optional) - auto-discovers authorization/token endpoints
        metadataUrl: ${OPENCHOREO_AUTH_METADATA_URL}
        # Explicit OAuth2 endpoints (used if metadataUrl not set, or as override)
        authorizationUrl: ${OPENCHOREO_AUTH_AUTHORIZATION_URL}
        tokenUrl: ${OPENCHOREO_AUTH_TOKEN_URL}
        scope: 'openid profile email' # Override via OPENCHOREO_AUTH_OIDC_SCOPE in production

    # Guest provider - used when openchoreo.features.auth.enabled is false
    # Allows users to access the portal without authentication (demo/development mode)
    guest:
      dangerouslyAllowOutsideDevelopment: true

scaffolder:
  # see https://backstage.io/docs/features/software-templates/configuration for software template options

openchoreo:
  # Environment variables are injected by Helm chart (see https://github.com/openchoreo/openchoreo install/helm/openchoreo/templates/backstage/deployment.yaml)
  # For local k3d: defaults to http://openchoreo-api.openchoreo.svc.cluster.local:8080/api/v1
  # For production: set via https://github.com/openchoreo/openchoreo install/helm/openchoreo/values.yaml backstage.openchoreoApi.url
  baseUrl: ${OPENCHOREO_API_URL}

  # Authentication configuration
  # User-initiated requests: Token forwarded from frontend (IDP access token via x-openchoreo-token header)
  # Background tasks (Catalog Provider): Uses client credentials below
  auth:
    # OAuth2 Client Credentials for background tasks (Catalog Entity Provider)
    # Required for the Catalog Provider to fetch organizations, projects, and components
    clientId: ${OPENCHOREO_AUTH_CLIENT_ID}
    clientSecret: ${OPENCHOREO_AUTH_CLIENT_SECRET}
    tokenUrl: ${OPENCHOREO_AUTH_TOKEN_URL}
    scope: ${OPENCHOREO_AUTH_SCOPE} # Optional: space-separated scopes (e.g. 'api://client-id/.default openid')

  # Default owner for built-in Backstage entity kinds (Domain, System, Component, API)
  # Required by Backstage schema validation. Custom OpenChoreo kinds don't use owner.
  defaultOwner: 'openchoreo-users'

  schedule:
    frequency: 30 # seconds between runs (default: 30)
    timeout: 120 # seconds for timeout (default: 120)

  # Feature flags for enabling/disabling OpenChoreo functionality
  # These can be controlled via Helm values: backstage.features.*
  # Environment variables: OPENCHOREO_FEATURES_WORKFLOWS_ENABLED, OPENCHOREO_FEATURES_OBSERVABILITY_ENABLED, OPENCHOREO_FEATURES_AUTH_ENABLED
  features:
    # Workflow plane / Workflows functionality
    # When disabled, hides Workflows tab and WorkflowsOverviewCard from entity pages
    workflows:
      enabled: ${OPENCHOREO_FEATURES_WORKFLOWS_ENABLED}
    # Observability plane features (Metrics, Traces, Runtime Logs)
    # When disabled, hides Metrics, Traces, Runtime Logs tabs and RuntimeHealthCard from entity pages
    observability:
      enabled: ${OPENCHOREO_FEATURES_OBSERVABILITY_ENABLED}
    # Authentication configuration
    # When disabled (false), users are automatically logged in as guests (no OAuth required)
    auth:
      enabled: ${OPENCHOREO_FEATURES_AUTH_ENABLED}
    # Authorization configuration (Access Control)
    # When disabled, hides Access Control sidebar item and pages
    authz:
      enabled: ${OPENCHOREO_FEATURES_AUTHZ_ENABLED}

  # Component Type Mappings (optional - defaults provided)
  # Maps OpenChoreo component types to Backstage page variants
  # Custom mappings are evaluated before defaults
  # componentTypes:
  #   mappings:
  #     # Example: All React-based components should use website page variant
  #     - pattern: '^deployment/react-.*'
  #       pageVariant: 'website'
  #
  #     # Example: Anything with 'api' should be a service page variant
  #     - pattern: '^deployment/.*api.*'
  #       pageVariant: 'service'
  #
  #     # Example: Python workers might be scheduled tasks
  #     - pattern: '^deployment/python-worker.*'
  #       pageVariant: 'scheduled-task'
  #
  # Default mappings (applied if no custom mapping matches):
  # - deployment/.*web-app.*     -> website
  # - deployment/.*webapp.*      -> website
  # - deployment/.*frontend.*    -> website
  # - cronjob/.*                 -> scheduled-task
  # - job/.*                     -> scheduled-task
  # - deployment/.*              -> service
  # - statefulset/.*             -> service
  # - (no match)                 -> default (uses defaultEntityPage)

thunder:
  # Environment variables are injected by Helm chart (see https://github.com/openchoreo/openchoreo install/helm/openchoreo/templates/backstage/deployment.yaml)
  # For local k3d: set THUNDER_BASE_URL via https://github.com/openchoreo/openchoreo install/dev/openchoreo-values.yaml (defaults to internal service URL)
  # For production: set via https://github.com/openchoreo/openchoreo install/helm/openchoreo/values.yaml backstage.thunder.baseUrl
  baseUrl: ${THUNDER_BASE_URL} # e.g., http://sts.openchoreo.localhost or https://idp.example.com
  # token: ${THUNDER_TOKEN} # Optional: uncomment if you need Thunder API authentication
  defaultNamespace: 'default' # Default namespace for User and Group entities
  schedule:
    frequency: 600 # seconds between runs (default: 600 = 10 minutes)
    timeout: 300 # seconds for timeout (default: 300 = 5 minutes)

catalog:
  import:
    entityFilename: catalog-info.yaml
    pullRequestBranchName: backstage-integration
  rules:
    - allow:
        [Component, System, API, Resource, Location, User, Group, Environment]
  locations:
    # Placeholder groups for Backstage entity owner references
    - type: file
      target: ../../catalog-entities/org.yaml
      rules:
        - allow: [Group]
    # Local example template
    - type: file
      target: ../../templates/create-openchoreo-project/template.yaml
      rules:
        - allow: [Template]
    - type: file
      target: ../../templates/create-openchoreo-componenttype/template.yaml
      rules:
        - allow: [Template]
    - type: file
      target: ../../templates/create-openchoreo-trait/template.yaml
      rules:
        - allow: [Template]
    - type: file
      target: ../../templates/create-openchoreo-workflow/template.yaml
      rules:
        - allow: [Template]
    - type: file
      target: ../../templates/create-openchoreo-environment/template.yaml
      rules:
        - allow: [Template]
    - type: file
      target: ../../templates/create-openchoreo-namespace/template.yaml
      rules:
        - allow: [Template]
    - type: file
      target: ../../templates/create-openchoreo-deploymentpipeline/template.yaml
      rules:
        - allow: [Template]
    - type: file
      target: ../../templates/create-openchoreo-clustercomponenttype/template.yaml
      rules:
        - allow: [Template]
    - type: file
      target: ../../templates/create-openchoreo-clustertrait/template.yaml
      rules:
        - allow: [Template]
    - type: file
      target: ../../templates/create-openchoreo-clusterworkflow/template.yaml
      rules:
        - allow: [Template]
    # - type: file
    #   target: ../../templates/create-openchoreo-component/template.yaml
    #   rules:
    #     - allow: [Template]

    ## Uncomment these lines to add more example data
    # - type: url
    #   target: https://github.com/backstage/backstage/blob/master/packages/catalog-model/examples/all.yaml

    ## Uncomment these lines to add an example org
    # - type: url
    #   target: https://github.com/backstage/backstage/blob/master/packages/catalog-model/examples/acme-corp.yaml
    #   rules:
    #     - allow: [User, Group]
  # Experimental: Always use the search method in UrlReaderProcessor.
  # New adopters are encouraged to enable it as this behavior will be the default in a future release.
  useUrlReadersSearch: true

kubernetes:
  # see https://backstage.io/docs/features/kubernetes/configuration for kubernetes configuration options

# see https://backstage.io/docs/permissions/getting-started for more on the permission framework
permission:
  # setting this to `false` will disable permissions
  enabled: true