-
Notifications
You must be signed in to change notification settings - Fork 12
[WIP] Add support for Backstage/RHDH MCP DCR #219
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: development
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| apiVersion: v1 | ||
| kind: ConfigMap | ||
| metadata: | ||
| name: rbac-policy | ||
| namespace: {{ .Release.Namespace }} | ||
| data: | ||
| rbac-policy.csv: | | ||
| p, role:default/mcp-admin, catalog.entity.read, read, allow | ||
| p, role:default/mcp-admin, catalog.entity.create, create, allow | ||
| p, role:default/mcp-admin, catalog.entity.delete, delete, allow | ||
| p, role:default/mcp-admin, catalog.entity.refresh, update, allow | ||
| p, role:default/mcp-admin, catalog.location.read, read, allow | ||
| p, role:default/mcp-admin, catalog.location.create, create, allow | ||
| p, role:default/mcp-admin, scaffolder.task.create, create, allow | ||
| p, role:default/mcp-admin, scaffolder.task.read, read, allow | ||
| p, role:default/mcp-admin, lightspeed.chat.read, read, allow | ||
| p, role:default/mcp-admin, lightspeed.chat.create, create, allow | ||
| p, role:default/mcp-admin, lightspeed.chat.delete, delete, allow | ||
| p, role:default/mcp-admin, lightspeed.chat.update, update, allow | ||
| p, role:default/mcp-admin, lightspeed.mcp.read, read, allow | ||
| p, role:default/mcp-admin, lightspeed.mcp.manage, update, allow | ||
| p, role:default/mcp-admin, lightspeed.notebooks.use, update, allow | ||
| g, user:default/mfaisal, role:default/mcp-admin | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,6 +4,24 @@ global: | |
| includes: | ||
| - "dynamic-plugins.default.yaml" | ||
| plugins: | ||
| ##### Disable upstream lightspeed (replaced by custom DCR builds) ##### | ||
| - package: oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-lightspeed:bs_1.49.4__2.8.5 | ||
| disabled: true | ||
| - package: oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-lightspeed-backend:bs_1.49.4__2.8.5 | ||
| disabled: true | ||
|
|
||
| ##### OAuth2 consent page plugin (required for DCR) ##### | ||
| - package: oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/backstage-plugin-auth:pr_2498__0.1.6 | ||
| disabled: false | ||
| pluginConfig: | ||
| dynamicPlugins: | ||
| frontend: | ||
| backstage.plugin-auth: | ||
| dynamicRoutes: | ||
| - path: /oauth2 | ||
| importName: Router | ||
| module: PluginRoot | ||
|
|
||
|
Comment on lines
+7
to
+24
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 2. Ci helm index drift charts/rhdh/values.yaml prepends new entries to global.dynamic.plugins, shifting the positional indices that scripts/ci-setup.sh overrides with --set global.dynamic.plugins[8]/[9]. This can disable unintended plugins in CI (or fail to disable the intended ones), causing CI installs to behave incorrectly or fail. Agent Prompt
|
||
| ##### Custom sign in page plugin ##### | ||
| - package: oci://quay.io/redhat-ai-dev/rolling-demo-customized-sign-in-page:v0.1.1 | ||
| disabled: false | ||
|
|
@@ -329,7 +347,7 @@ global: | |
| lightspeed: | ||
| enabled: true | ||
| plugins: | ||
| - package: oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-lightspeed:bs_1.49.4__2.9.0 | ||
| - package: oci://quay.io/maysunfaisal/rhdh-plugin-lightspeed:dcr-0.6.0!red-hat-developer-hub-backstage-plugin-lightspeed | ||
| disabled: false | ||
|
Comment on lines
349
to
351
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 1. rhdh-plugin-lightspeed tag format invalid Several OCI plugin package references in charts/rhdh/values.yaml use non-compliant tag texts (dcr-0.4.0!… for the Lightspeed and Lightspeed backend plugins, and pr_2498__0.1.6 for a newly added package) that do not match the required bs_<backstage-version>__<plugin-version> format. This violates the enforced plugin image tag convention mandated for plugin images in this values file. Agent Prompt
|
||
| pluginConfig: | ||
| dynamicPlugins: | ||
|
|
@@ -340,7 +358,7 @@ global: | |
| module: Alpha | ||
| ref: lightspeedTranslationRef | ||
| dynamicRoutes: | ||
| - path: /lightspeed | ||
| - path: /intelligent-assistant | ||
| importName: LightspeedPage | ||
| mountPoints: | ||
| - mountPoint: application/listener | ||
|
|
@@ -356,7 +374,7 @@ global: | |
| config: | ||
| id: lightspeed | ||
| priority: 100 | ||
| - package: oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-lightspeed-backend:bs_1.49.4__2.9.0 | ||
| - package: oci://quay.io/maysunfaisal/rhdh-plugin-lightspeed-backend:dcr-0.6.0!red-hat-developer-hub-backstage-plugin-lightspeed-backend | ||
| disabled: false | ||
| secret: | ||
| create: false | ||
|
|
@@ -418,6 +436,10 @@ backstage: | |
| enabled: true | ||
| experimentalRefreshToken: | ||
| enabled: true | ||
| experimentalDynamicClientRegistration: | ||
| enabled: true | ||
| allowedRedirectUriPatterns: | ||
| - '*' | ||
|
Comment on lines
+439
to
+442
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 3. Wildcard redirect uris values.yaml enables experimentalDynamicClientRegistration while allowing allowedRedirectUriPatterns: ['*'], which permits redirect URIs to match anything. This undermines OAuth redirect URI validation and can allow authorization code/token exfiltration to attacker-controlled redirect endpoints. Agent Prompt
|
||
| session: | ||
| secret: "${BACKEND_SECRET}" | ||
| providers: | ||
|
|
@@ -556,15 +578,22 @@ backstage: | |
| - resolver: emailMatchingUserEntityProfileEmail | ||
| lightspeed: | ||
| notebooks: | ||
| enabled: true | ||
| enabled: false | ||
| queryDefaults: | ||
| model: ${NOTEBOOKS_QUERY_MODEL} | ||
| provider_id: ${NOTEBOOKS_QUERY_PROVIDER_ID} | ||
| model: "${NOTEBOOKS_QUERY_MODEL}" | ||
| provider_id: "${NOTEBOOKS_QUERY_PROVIDER_ID}" | ||
| mcpServers: | ||
| - name: mcp-integration-tools | ||
| token: ${MCP_TOKEN} | ||
| auth: dcr | ||
| mcpActions: | ||
| namespacedToolNames: false | ||
| permission: | ||
| enabled: true | ||
| rbac: | ||
| policies-csv-file: /opt/app-root/src/rbac-policy.csv | ||
| admin: | ||
| users: | ||
| - name: user:default/mfaisal | ||
|
Comment on lines
+590
to
+596
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 4. Hardcoded rbac admin user The chart hardcodes user:default/mfaisal as a permission RBAC admin and also binds that same user to role:default/mcp-admin in the shipped rbac-policy.csv. Any environment where that identity exists will grant elevated permissions unintentionally via default chart install. Agent Prompt
|
||
| integrations: | ||
| github: | ||
| - apps: | ||
|
|
@@ -671,6 +700,10 @@ backstage: | |
| extraVolumeMounts: | ||
| - name: dynamic-plugins-root | ||
| mountPath: /opt/app-root/src/dynamic-plugins-root | ||
| - name: rbac-policy | ||
| mountPath: /opt/app-root/src/rbac-policy.csv | ||
| subPath: rbac-policy.csv | ||
| readOnly: true | ||
| # tmp backstage volume for scaffolder tasks | ||
| - name: backstage-tmp | ||
| mountPath: /tmp | ||
|
|
@@ -701,6 +734,9 @@ backstage: | |
| emptyDir: {} | ||
| - name: extensions-catalog | ||
| emptyDir: {} | ||
| - name: rbac-policy | ||
| configMap: | ||
| name: rbac-policy | ||
| initContainers: | ||
| - name: install-dynamic-plugins | ||
| image: '{{ include "backstage.image" . }}' | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it is going to be very cool to get this level of authorization granularity once the DCR stuff lands @maysunfaisal @johnmcollier :-)