Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions charts/rhdh/templates/rbac-policy-configmap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: rbac-policy
namespace: {{ .Release.Namespace }}
data:
rbac-policy.csv: |
p, role:default/mcp-admin, catalog.entity.read, read, allow
p, role:default/mcp-admin, catalog.entity.create, create, allow

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is going to be very cool to get this level of authorization granularity once the DCR stuff lands @maysunfaisal @johnmcollier :-)

p, role:default/mcp-admin, catalog.entity.delete, delete, allow
p, role:default/mcp-admin, catalog.entity.refresh, update, allow
p, role:default/mcp-admin, catalog.location.read, read, allow
p, role:default/mcp-admin, catalog.location.create, create, allow
p, role:default/mcp-admin, scaffolder.task.create, create, allow
p, role:default/mcp-admin, scaffolder.task.read, read, allow
p, role:default/mcp-admin, lightspeed.chat.read, read, allow
p, role:default/mcp-admin, lightspeed.chat.create, create, allow
p, role:default/mcp-admin, lightspeed.chat.delete, delete, allow
p, role:default/mcp-admin, lightspeed.chat.update, update, allow
p, role:default/mcp-admin, lightspeed.mcp.read, read, allow
p, role:default/mcp-admin, lightspeed.mcp.manage, update, allow
p, role:default/mcp-admin, lightspeed.notebooks.use, update, allow
g, user:default/mfaisal, role:default/mcp-admin
50 changes: 43 additions & 7 deletions charts/rhdh/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,24 @@ global:
includes:
- "dynamic-plugins.default.yaml"
plugins:
##### Disable upstream lightspeed (replaced by custom DCR builds) #####
- package: oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-lightspeed:bs_1.49.4__2.8.5
disabled: true
- package: oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-lightspeed-backend:bs_1.49.4__2.8.5
disabled: true

##### OAuth2 consent page plugin (required for DCR) #####
- package: oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/backstage-plugin-auth:pr_2498__0.1.6
disabled: false
pluginConfig:
dynamicPlugins:
frontend:
backstage.plugin-auth:
dynamicRoutes:
- path: /oauth2
importName: Router
module: PluginRoot

Comment on lines +7 to +24

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

2. Ci helm index drift 🐞 Bug ☼ Reliability

charts/rhdh/values.yaml prepends new entries to global.dynamic.plugins, shifting the positional
indices that scripts/ci-setup.sh overrides with --set global.dynamic.plugins[8]/[9]. This can
disable unintended plugins in CI (or fail to disable the intended ones), causing CI installs to
behave incorrectly or fail.
Agent Prompt
## Issue description
`charts/rhdh/values.yaml` prepends new items to `global.dynamic.plugins`, but CI uses positional Helm overrides (`global.dynamic.plugins[8]` and `[9]`) in `scripts/ci-setup.sh`. After the prepend, the same indices point at different plugin entries.

## Issue Context
Helm array overrides are order-dependent; inserting entries at the head of the list changes the meaning of any `--set ...[N]...` overrides.

## Fix Focus Areas
- scripts/ci-setup.sh[101-110]
- charts/rhdh/values.yaml[1-80]

## Suggested fix approaches
- Preferred: stop using hard-coded indices in CI. Instead, generate a small temporary values file in CI that disables plugins by matching `package:` (e.g., via `yq`), then pass that file to `helm install`.
- Acceptable fallback: if you must keep index-based overrides, update `scripts/ci-setup.sh` indices to match the new ordering **and** add a guard/comment that these must be updated whenever `global.dynamic.plugins` ordering changes.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

##### Custom sign in page plugin #####
- package: oci://quay.io/redhat-ai-dev/rolling-demo-customized-sign-in-page:v0.1.1
disabled: false
Expand Down Expand Up @@ -329,7 +347,7 @@ global:
lightspeed:
enabled: true
plugins:
- package: oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-lightspeed:bs_1.49.4__2.9.0
- package: oci://quay.io/maysunfaisal/rhdh-plugin-lightspeed:dcr-0.6.0!red-hat-developer-hub-backstage-plugin-lightspeed
disabled: false
Comment on lines 349 to 351

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. rhdh-plugin-lightspeed tag format invalid 📘 Rule violation ≡ Correctness

Several OCI plugin package references in charts/rhdh/values.yaml use non-compliant tag texts
(dcr-0.4.0!… for the Lightspeed and Lightspeed backend plugins, and pr_2498__0.1.6 for a newly
added package) that do not match the required bs_<backstage-version>__<plugin-version> format.
This violates the enforced plugin image tag convention mandated for plugin images in this values
file.
Agent Prompt
## Issue description
`charts/rhdh/values.yaml` contains multiple OCI plugin package tags that do not follow the required `bs_<backstage-version>__<plugin-version>` convention (including `dcr-0.4.0!…` tags for the Lightspeed and Lightspeed backend plugins and the newly added `pr_2498__0.1.6` tag).

## Issue Context
PR Compliance ID 902156 requires all OCI plugin image tags in `charts/rhdh/values.yaml` to match `bs_<backstage-version>__<plugin-version>` (i.e., start with `bs_` and use the `__` separator between the two non-empty segments). Update the non-compliant tags to conform to this enforced format.

## Fix Focus Areas
- charts/rhdh/values.yaml[13-15]
- charts/rhdh/values.yaml[339-341]
- charts/rhdh/values.yaml[366-368]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

pluginConfig:
dynamicPlugins:
Expand All @@ -340,7 +358,7 @@ global:
module: Alpha
ref: lightspeedTranslationRef
dynamicRoutes:
- path: /lightspeed
- path: /intelligent-assistant
importName: LightspeedPage
mountPoints:
- mountPoint: application/listener
Expand All @@ -356,7 +374,7 @@ global:
config:
id: lightspeed
priority: 100
- package: oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-lightspeed-backend:bs_1.49.4__2.9.0
- package: oci://quay.io/maysunfaisal/rhdh-plugin-lightspeed-backend:dcr-0.6.0!red-hat-developer-hub-backstage-plugin-lightspeed-backend
disabled: false
secret:
create: false
Expand Down Expand Up @@ -418,6 +436,10 @@ backstage:
enabled: true
experimentalRefreshToken:
enabled: true
experimentalDynamicClientRegistration:
enabled: true
allowedRedirectUriPatterns:
- '*'
Comment on lines +439 to +442

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

3. Wildcard redirect uris 🐞 Bug ⛨ Security

values.yaml enables experimentalDynamicClientRegistration while allowing
allowedRedirectUriPatterns: ['*'], which permits redirect URIs to match anything. This undermines
OAuth redirect URI validation and can allow authorization code/token exfiltration to
attacker-controlled redirect endpoints.
Agent Prompt
## Issue description
`auth.experimentalDynamicClientRegistration.allowedRedirectUriPatterns` is set to `'*'`, effectively allowing any redirect URI for dynamically registered clients.

## Issue Context
OAuth redirect URI validation is a key security control; wildcard patterns make it possible for a malicious client registration to supply a redirect URI controlled by an attacker.

## Fix Focus Areas
- charts/rhdh/values.yaml[422-427]

## Suggested fix
Replace the wildcard with a narrowly-scoped allowlist (e.g., specific origins/paths you control such as `${RHDH_BASE_URL}/oauth2/*` or exact callback URLs). If multiple environments are needed, make this configurable via chart values with safe defaults (no wildcard).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

session:
secret: "${BACKEND_SECRET}"
providers:
Expand Down Expand Up @@ -556,15 +578,22 @@ backstage:
- resolver: emailMatchingUserEntityProfileEmail
lightspeed:
notebooks:
enabled: true
enabled: false
queryDefaults:
model: ${NOTEBOOKS_QUERY_MODEL}
provider_id: ${NOTEBOOKS_QUERY_PROVIDER_ID}
model: "${NOTEBOOKS_QUERY_MODEL}"
provider_id: "${NOTEBOOKS_QUERY_PROVIDER_ID}"
mcpServers:
- name: mcp-integration-tools
token: ${MCP_TOKEN}
auth: dcr
mcpActions:
namespacedToolNames: false
permission:
enabled: true
rbac:
policies-csv-file: /opt/app-root/src/rbac-policy.csv
admin:
users:
- name: user:default/mfaisal
Comment on lines +590 to +596

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

4. Hardcoded rbac admin user 🐞 Bug ⛨ Security

The chart hardcodes user:default/mfaisal as a permission RBAC admin and also binds that same user
to role:default/mcp-admin in the shipped rbac-policy.csv. Any environment where that identity
exists will grant elevated permissions unintentionally via default chart install.
Agent Prompt
## Issue description
A specific human identity (`user:default/mfaisal`) is embedded in the chart defaults as an RBAC admin and is also granted the `mcp-admin` role in the policy CSV ConfigMap.

## Issue Context
Charts are often reused across environments; hardcoding a privileged user can unintentionally grant admin access in clusters where that identity exists.

## Fix Focus Areas
- charts/rhdh/values.yaml[575-581]
- charts/rhdh/templates/rbac-policy-configmap.yaml[1-23]

## Suggested fix
- Remove the hardcoded user from defaults.
- Parameterize admin users and role bindings via values (e.g., `.Values.backstage.upstream.backstage.appConfig.permission.rbac.admin.users` and/or a chart value like `.Values.permission.rbacPolicyCsv`), with an empty default.
- If a demo user is needed, gate it behind an explicit `demo: true`/`unsafeDefaults: true` value so production installs don’t inherit it.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

integrations:
github:
- apps:
Expand Down Expand Up @@ -671,6 +700,10 @@ backstage:
extraVolumeMounts:
- name: dynamic-plugins-root
mountPath: /opt/app-root/src/dynamic-plugins-root
- name: rbac-policy
mountPath: /opt/app-root/src/rbac-policy.csv
subPath: rbac-policy.csv
readOnly: true
# tmp backstage volume for scaffolder tasks
- name: backstage-tmp
mountPath: /tmp
Expand Down Expand Up @@ -701,6 +734,9 @@ backstage:
emptyDir: {}
- name: extensions-catalog
emptyDir: {}
- name: rbac-policy
configMap:
name: rbac-policy
initContainers:
- name: install-dynamic-plugins
image: '{{ include "backstage.image" . }}'
Expand Down
8 changes: 5 additions & 3 deletions scripts/setup-secrets.sh
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,12 @@ SECRET_NAME="llama-stack-secrets"
log "Creating $SECRET_NAME secret..."
kubectl create secret generic "$SECRET_NAME" \
--namespace="$RHDH_NAMESPACE" \
--from-literal=ENABLE_VLLM="true" \
--from-literal=ENABLE_VLLM="${ENABLE_VLLM:-}" \
--from-literal=ENABLE_OPENAI="${ENABLE_OPENAI:-}" \
--from-literal=ENABLE_VALIDATION="true" \
--from-literal=VLLM_URL="$VLLM_URL" \
--from-literal=VLLM_API_KEY="$VLLM_API_KEY" \
--from-literal=VLLM_URL="${VLLM_URL:-}" \
--from-literal=VLLM_API_KEY="${VLLM_API_KEY:-}" \
--from-literal=OPENAI_API_KEY="${OPENAI_API_KEY:-}" \
--from-literal=VALIDATION_PROVIDER="$VALIDATION_PROVIDER" \
--from-literal=VALIDATION_MODEL_NAME="$VALIDATION_MODEL_NAME" \
--from-literal=NOTEBOOKS_QUERY_PROVIDER_ID="$NOTEBOOKS_QUERY_PROVIDER_ID" \
Expand Down
Loading