Backstage Debug

gcp-debug.sh

#!/bin/bash

# Function to prompt user for input
prompt_user_input() {
    read -p "Enter your GCP Project ID: " PROJECT_ID
    read -p "Enter your GKE Cluster Name: " CLUSTER_NAME
    read -p "Enter your GKE Cluster Zone: " ZONE
    LOG_FILE="setup_gke_backstage.log"
}

# Prompt user for input
prompt_user_input

# Logging function
log() {
    echo "$(date '+%Y-%m-%d %H:%M:%S') $1" | tee -a $LOG_FILE
}

# Error handling function
error_exit() {
    log "ERROR: $1"
    exit 1
}

# Debug function to display current configuration status
debug() {
    log "Starting debug..."

    log "Checking gcloud authentication..."
    if ! gcloud auth list | grep -q 'ACTIVE'; then
        log "No active gcloud authentication found."
    else
        log "gcloud authentication found."
    fi

    log "Checking IAM roles in GCP project..."
    role_exists=$(gcloud projects get-iam-policy $PROJECT_ID --flatten="bindings[].members" --format="table(bindings.role)" | grep 'roles/container.clusterAdmin')
    if [ -z "$role_exists" ]; then
        log "IAM role roles/container.clusterAdmin does not exist in GCP project."
    else
        log "IAM role roles/container.clusterAdmin exists in GCP project."
    fi

    log "Checking Kubernetes RBAC..."
    if ! kubectl get clusterrolebinding backstage-binding > /dev/null 2>&1; then
        log "ClusterRoleBinding backstage-binding does not exist."
    else
        log "ClusterRoleBinding backstage-binding exists."
    fi
    if ! kubectl get clusterrole backstage-role > /dev/null 2>&1; then
        log "ClusterRole backstage-role does not exist."
    else
        log "ClusterRole backstage-role exists."
    fi

    log "Checking ServiceAccount permissions..."
    if ! kubectl auth can-i --as=system:serviceaccount:default:backstage-k8s-sa --list > /dev/null 2>&1; then
        log "ServiceAccount backstage-k8s-sa may not have the correct permissions."
    else
        log "ServiceAccount backstage-k8s-sa has the correct permissions."
    fi

    log "Debug completed."
}

# Function to prompt user for fixing issues
prompt_fix() {
    log "Prompting user for fixes..."

    if ! gcloud auth list | grep -q 'ACTIVE'; then
        echo "No active gcloud authentication found. Do you want to authenticate now? (y/n)"
        read -r response
        if [[ "$response" == "y" ]]; then
            gcloud auth login || error_exit "Failed to authenticate gcloud."
        else
            error_exit "gcloud authentication required."
        fi
    fi

    role_exists=$(gcloud projects get-iam-policy $PROJECT_ID --flatten="bindings[].members" --format="table(bindings.role)" | grep 'roles/container.clusterAdmin')
    if [ -z "$role_exists" ]; then
        echo "IAM role roles/container.clusterAdmin does not exist in GCP project. Do you want to assign it? (y/n)"
        read -r response
        if [[ "$response" == "y" ]]; then
            gcloud projects add-iam-policy-binding $PROJECT_ID --member="user:$(gcloud config get-value account)" --role="roles/container.clusterAdmin" || error_exit "Failed to assign IAM role."
            log "IAM role assigned successfully."
        else
            error_exit "IAM role assignment required."
        fi
    fi

    if ! kubectl get clusterrolebinding backstage-binding > /dev/null 2>&1; then
        echo "ClusterRoleBinding backstage-binding does not exist. Do you want to create it? (y/n)"
        read -r response
        if [[ "$response" == "y" ]]; then
            cat > rbac.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: backstage-role
rules:
- apiGroups: [""]
  resources: ["pods", "services", "namespaces"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: backstage-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: backstage-role
subjects:
- kind: ServiceAccount
  name: backstage-k8s-sa
  namespace: default
EOF
            kubectl apply -f rbac.yaml || error_exit "Failed to apply Kubernetes RBAC."
            log "Kubernetes RBAC created successfully."
        else
            error_exit "Kubernetes RBAC creation required."
        fi
    fi

    if ! kubectl auth can-i --as=system:serviceaccount:default:backstage-k8s-sa --list > /dev/null 2>&1; then
        echo "ServiceAccount backstage-k8s-sa may not have the correct permissions. Do you want to update the permissions? (y/n)"
        read -r response
        if [[ "$response" == "y" ]]; then
            log "Please manually check and update the permissions for the ServiceAccount as necessary."
            # Manual step for user to ensure correct permissions
        else
            error_exit "ServiceAccount permission update required."
        fi
    fi

    log "Fixes applied successfully."
}

# Run debug first
debug

# Prompt user for fixes if issues are found
echo "Do you want to apply fixes for the detected issues? (y/n)"
read -r response
if [[ "$response" == "y" ]]; then
    prompt_fix
else
    log "No fixes applied. Exiting."
fi

# Step 5: Test Access with kubectl
log "Testing access with kubectl..."
gcloud container clusters get-credentials $CLUSTER_NAME --zone $ZONE --project $PROJECT_ID || error_exit "Failed to get GKE cluster credentials."

kubectl get namespaces || error_exit "Failed to get namespaces. Please check the configuration."

log "Access test successful. Setup completed."