Deploy the Backend with Software Templates

In this module you will deploy Neuralbank Backend using a Software Template. When you finish you will have a repository in Gitea, an application in ArgoCD, a Tekton pipeline run, and the API reachable on OpenShift.

Prerequisites

Access to Developer Hub with your user (user1) and password Welcome123!.
Permission to create components from templates in the workshop catalog.

Step 1: Open Create from Template

Log in to Developer Hub at https://backstage-developer-hub-developer-hub.apps.cluster.example.com
In the main menu, select Create.
Find the template Neuralbank: Backend API.

Step 2: Complete the Form

Fill in the fields:

Field Value

Field	Value
Name	`neuralbank-backend`
Owner (OpenShift username)	`user1`

Name

neuralbank-backend

Owner (OpenShift username)

user1

This creates namespace user1-neuralbank where all services deploy.

Do not use spaces in the repository name. The owner must match your OpenShift user for correct namespace permissions.

Step 3: Create and Wait for Scaffolding

Click Create (or Review then Create if there is a review step).
Stay on the progress screen until all scaffolder steps finish.

If a step fails, check permissions in Gitea or quota on namespace user1-neuralbank.

Step 4: Verify the Repository in Gitea

Open Gitea: https://gitea-gitea.apps.cluster.example.com
Locate the repository user1/neuralbank-backend.
Confirm that source code, manifests, tekton, and catalog-info.yaml exist.

# Expected repository structure
src/                     # Java/Quarkus source code
manifests/
  deployment.yaml
  service.yaml
  gateway.yaml           # Gateway API resource
  httproute.yaml         # HTTPRoute for the API
  authpolicy.yaml        # Kuadrant AuthPolicy (API Key + OIDC JWT)
  ratelimitpolicy.yaml   # Kuadrant RateLimitPolicy
  trigger-binding.yaml   # Tekton TriggerBinding
  trigger-template.yaml  # Tekton TriggerTemplate
  event-listener.yaml    # Tekton EventListener
tekton/
  pipeline.yaml          # CI/CD pipeline definition
devfile.yaml             # Dev Spaces configuration
catalog-info.yaml        # Backstage catalog registration
Dockerfile

Step 5: Verify the Application in ArgoCD

Open ArgoCD: https://openshift-gitops-server-openshift-gitops.apps.cluster.example.com
Find an Application named user1-neuralbank-backend.
Check Sync Status and Health; if OutOfSync, run Sync.

Step 6: Validate the Deployment on OpenShift

Open the OpenShift Console.
Switch to project user1-neuralbank.
Under Workloads → Pods, verify backend pods are Running.

Understanding the Authentication Model

The scaffolded backend uses an AuthPolicy that supports two authentication methods:

apiVersion: kuadrant.io/v1
kind: AuthPolicy
spec:
  defaults:
    rules:
      authentication:
        api-key-auth:          # Priority 0 — checked first
          apiKey:
            selector:
              matchLabels:
                app: neuralbank-backend
                kuadrant.io/apikey: "true"
          credentials:
            customHeader:
              name: X-API-Key
          priority: 0
        oidc:                  # Priority 1 — fallback
          jwt:
            issuerUrl: https://rhbk.apps.cluster.example.com/realms/neuralbank
          credentials:
            authorizationHeader:
              prefix: Bearer
          priority: 1
      response:
        unauthenticated:
          code: 401
          body:
            value: '{"error":"Authentication required."}'

Method How It Works

Method	How It Works
API Key (primary)	Send `X-API-Key` header with a key from a labeled Kubernetes Secret. This is the method used by the scaffolded frontend.
OIDC JWT (secondary)	Send `Authorization: Bearer <token>` with a valid JWT from Keycloak realm `neuralbank`. Useful for programmatic access if you already have a token.

API Key (primary)

Send X-API-Key header with a key from a labeled Kubernetes Secret. This is the method used by the scaffolded frontend.

OIDC JWT (secondary)

Send Authorization: Bearer <token> with a valid JWT from Keycloak realm neuralbank. Useful for programmatic access if you already have a token.

The scaffolded applications use API Key as the primary authentication method. The OIDC JWT option is available for Bearer token validation but does not include an interactive login flow. For a full interactive OIDC experience (browser redirect to Keycloak), see the pre-deployed neuralbank-stack in Module 9.

Step 7: Try the API Endpoints

The backend exposes REST endpoints through the Kuadrant gateway. Use an API Key to authenticate:

# Get the API key from the generated Secret
API_KEY=$(oc get secret -n user1-neuralbank \
  -l "app=neuralbank-backend,kuadrant.io/apikey=true" \
  -o jsonpath='\{.items[0].data.api_key}' | base64 -d)

echo "API Key: $API_KEY"

# List customers
curl -s -H "X-API-Key: $API_KEY" \
  "https://neuralbank-backend-user1-neuralbank.apps.cluster.example.com/api/customers" \
  | python3 -m json.tool

# List credits
curl -s -H "X-API-Key: $API_KEY" \
  "https://neuralbank-backend-user1-neuralbank.apps.cluster.example.com/api/credits" \
  | python3 -m json.tool

Step 8: Confirm Catalog Registration

Return to Developer Hub.
Find component neuralbank-backend in the Catalog.
Open the entity card and review links to the repository, documentation, and relationships (API entity).

Summary

You deployed the backend through the full path Hub → Template → Gitea → ArgoCD → Tekton → OpenShift. The API is protected by Kuadrant with API Key authentication (primary) and optional OIDC JWT validation. All services are in namespace user1-neuralbank.