Skip to content

Commit 4b5a589

Browse files
feat: enable DCR authentication for Lightspeed MCP servers
- Add custom Lightspeed OCI images with DCR support (dcr-0.4.0) - Configure MCP server with auth: dcr in values.yaml - Enable experimentalDynamicClientRegistration - Add @backstage/plugin-auth for OAuth2 consent page Co-authored-by: Cursor <cursoragent@cursor.com>
1 parent 4c8ca75 commit 4b5a589

3 files changed

Lines changed: 70 additions & 9 deletions

File tree

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
apiVersion: v1
2+
kind: ConfigMap
3+
metadata:
4+
name: rbac-policy
5+
namespace: {{ .Release.Namespace }}
6+
data:
7+
rbac-policy.csv: |
8+
p, role:default/mcp-admin, catalog.entity.read, read, allow
9+
p, role:default/mcp-admin, catalog.entity.create, create, allow
10+
p, role:default/mcp-admin, catalog.entity.delete, delete, allow
11+
p, role:default/mcp-admin, catalog.entity.refresh, update, allow
12+
p, role:default/mcp-admin, catalog.location.read, read, allow
13+
p, role:default/mcp-admin, catalog.location.create, create, allow
14+
p, role:default/mcp-admin, scaffolder.task.create, create, allow
15+
p, role:default/mcp-admin, scaffolder.task.read, read, allow
16+
p, role:default/mcp-admin, lightspeed.chat.read, read, allow
17+
p, role:default/mcp-admin, lightspeed.chat.create, create, allow
18+
p, role:default/mcp-admin, lightspeed.chat.delete, delete, allow
19+
p, role:default/mcp-admin, lightspeed.chat.update, update, allow
20+
p, role:default/mcp-admin, lightspeed.mcp.read, read, allow
21+
p, role:default/mcp-admin, lightspeed.mcp.manage, update, allow
22+
p, role:default/mcp-admin, lightspeed.notebooks.use, update, allow
23+
g, user:default/mfaisal, role:default/mcp-admin

charts/rhdh/values.yaml

Lines changed: 42 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,24 @@ global:
44
includes:
55
- "dynamic-plugins.default.yaml"
66
plugins:
7+
##### Disable upstream lightspeed (replaced by custom DCR builds) #####
8+
- package: oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-lightspeed:bs_1.49.4__2.8.5
9+
disabled: true
10+
- package: oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-lightspeed-backend:bs_1.49.4__2.8.5
11+
disabled: true
12+
13+
##### OAuth2 consent page plugin (required for DCR) #####
14+
- package: oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/backstage-plugin-auth:pr_2498__0.1.6
15+
disabled: false
16+
pluginConfig:
17+
dynamicPlugins:
18+
frontend:
19+
backstage.plugin-auth:
20+
dynamicRoutes:
21+
- path: /oauth2
22+
importName: Router
23+
module: PluginRoot
24+
725
##### Custom sign in page plugin #####
826
- package: oci://quay.io/redhat-ai-dev/rolling-demo-customized-sign-in-page:v0.1.1
927
disabled: false
@@ -319,7 +337,7 @@ global:
319337
lightspeed:
320338
enabled: true
321339
plugins:
322-
- package: oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-lightspeed:bs_1.49.4__2.8.5
340+
- package: oci://quay.io/maysunfaisal/rhdh-plugin-lightspeed:dcr-0.6.0!red-hat-developer-hub-backstage-plugin-lightspeed
323341
disabled: false
324342
pluginConfig:
325343
dynamicPlugins:
@@ -346,7 +364,7 @@ global:
346364
config:
347365
id: lightspeed
348366
priority: 100
349-
- package: oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-lightspeed-backend:bs_1.49.4__2.8.5
367+
- package: oci://quay.io/maysunfaisal/rhdh-plugin-lightspeed-backend:dcr-0.6.0!red-hat-developer-hub-backstage-plugin-lightspeed-backend
350368
disabled: false
351369
secret:
352370
create: false
@@ -403,6 +421,10 @@ backstage:
403421
licensedUsers: 50
404422
auth:
405423
environment: production
424+
experimentalDynamicClientRegistration:
425+
enabled: true
426+
allowedRedirectUriPatterns:
427+
- '*'
406428
session:
407429
secret: "${BACKEND_SECRET}"
408430
providers:
@@ -541,15 +563,22 @@ backstage:
541563
- resolver: emailMatchingUserEntityProfileEmail
542564
lightspeed:
543565
notebooks:
544-
enabled: true
566+
enabled: false
545567
queryDefaults:
546-
model: ${NOTEBOOKS_QUERY_MODEL}
547-
provider_id: ${NOTEBOOKS_QUERY_PROVIDER_ID}
568+
model: "${NOTEBOOKS_QUERY_MODEL}"
569+
provider_id: "${NOTEBOOKS_QUERY_PROVIDER_ID}"
548570
mcpServers:
549571
- name: mcp-integration-tools
550-
token: ${MCP_TOKEN}
572+
auth: dcr
551573
mcpActions:
552574
namespacedToolNames: false
575+
permission:
576+
enabled: true
577+
rbac:
578+
policies-csv-file: /opt/app-root/src/rbac-policy.csv
579+
admin:
580+
users:
581+
- name: user:default/mfaisal
553582
integrations:
554583
github:
555584
- apps:
@@ -656,6 +685,10 @@ backstage:
656685
extraVolumeMounts:
657686
- name: dynamic-plugins-root
658687
mountPath: /opt/app-root/src/dynamic-plugins-root
688+
- name: rbac-policy
689+
mountPath: /opt/app-root/src/rbac-policy.csv
690+
subPath: rbac-policy.csv
691+
readOnly: true
659692
# tmp backstage volume for scaffolder tasks
660693
- name: backstage-tmp
661694
mountPath: /tmp
@@ -686,6 +719,9 @@ backstage:
686719
emptyDir: {}
687720
- name: extensions-catalog
688721
emptyDir: {}
722+
- name: rbac-policy
723+
configMap:
724+
name: rbac-policy
689725
initContainers:
690726
- name: install-dynamic-plugins
691727
image: '{{ include "backstage.image" . }}'

scripts/setup-secrets.sh

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -28,10 +28,12 @@ SECRET_NAME="llama-stack-secrets"
2828
log "Creating $SECRET_NAME secret..."
2929
kubectl create secret generic "$SECRET_NAME" \
3030
--namespace="$RHDH_NAMESPACE" \
31-
--from-literal=ENABLE_VLLM="true" \
31+
--from-literal=ENABLE_VLLM="${ENABLE_VLLM:-}" \
32+
--from-literal=ENABLE_OPENAI="${ENABLE_OPENAI:-}" \
3233
--from-literal=ENABLE_VALIDATION="true" \
33-
--from-literal=VLLM_URL="$VLLM_URL" \
34-
--from-literal=VLLM_API_KEY="$VLLM_API_KEY" \
34+
--from-literal=VLLM_URL="${VLLM_URL:-}" \
35+
--from-literal=VLLM_API_KEY="${VLLM_API_KEY:-}" \
36+
--from-literal=OPENAI_API_KEY="${OPENAI_API_KEY:-}" \
3537
--from-literal=VALIDATION_PROVIDER="$VALIDATION_PROVIDER" \
3638
--from-literal=VALIDATION_MODEL_NAME="$VALIDATION_MODEL_NAME" \
3739
--from-literal=NOTEBOOKS_QUERY_PROVIDER_ID="$NOTEBOOKS_QUERY_PROVIDER_ID" \

0 commit comments

Comments
 (0)