Skip to content

feat(RHIDP-14601): enable dev-sandbox-catalog-plugin#403

Merged
openshift-merge-bot[bot] merged 1 commit into
redhat-performance:mainfrom
pmacik:feat/RHIDP-14601
Jun 30, 2026
Merged

feat(RHIDP-14601): enable dev-sandbox-catalog-plugin#403
openshift-merge-bot[bot] merged 1 commit into
redhat-performance:mainfrom
pmacik:feat/RHIDP-14601

Conversation

@pmacik

@pmacik pmacik commented Jun 15, 2026

Copy link
Copy Markdown
Collaborator

No description provided.

@openshift-ci

openshift-ci Bot commented Jun 15, 2026

Copy link
Copy Markdown

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@pmacik pmacik force-pushed the feat/RHIDP-14601 branch 4 times, most recently from f4e644e to 52cdc24 Compare June 18, 2026 15:08
@pmacik pmacik marked this pull request as ready for review June 18, 2026 15:10
@pmacik pmacik force-pushed the feat/RHIDP-14601 branch 3 times, most recently from bcbd3e9 to 50e2e22 Compare June 19, 2026 06:31
@pmacik

pmacik commented Jun 19, 2026

Copy link
Copy Markdown
Collaborator Author

/hold

@pmacik pmacik force-pushed the feat/RHIDP-14601 branch 3 times, most recently from a91c8ea to 3ff758a Compare June 23, 2026 12:42
@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: e3b6b4cb-1c7a-45db-b2ea-8824c46cc077

📥 Commits

Reviewing files that changed from the base of the PR and between 81a42b4 and 891b998.

📒 Files selected for processing (20)
  • ci-scripts/dev-sandbox/collect-results.sh
  • ci-scripts/dev-sandbox/deploy.sh
  • ci-scripts/dev-sandbox/metrics-config.yaml
  • ci-scripts/dev-sandbox/rhdh-perf-workloads.backstages.template.yaml
  • ci-scripts/rhdh-setup/common.sh
  • ci-scripts/rhdh-setup/deploy.sh
  • ci-scripts/rhdh-setup/install-rhdh-catalog-source.sh
  • ci-scripts/rhdh-setup/template/backstage/app-config.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/app-config.rhdh.db.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/app-config.rhdh.urls.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/app-rbac-patch.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/backstage.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/app-config.rhdh.dev-sandbox-catalog-plugin.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog-plugin-patch.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog-plugin-volumemounts-patch.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog-plugin-volumes-patch.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog.rbac.yaml
  • ci-scripts/rhdh-setup/template/backstage/rhdh-db/crunchy-postgres-op.yaml
  • ci-scripts/rhdh-setup/template/backstage/rhdh-db/postgres-cluster.yaml
  • test.env
💤 Files with no reviewable changes (1)
  • ci-scripts/rhdh-setup/template/backstage/app-config.yaml
✅ Files skipped from review due to trivial changes (8)
  • ci-scripts/rhdh-setup/template/backstage/rhdh-db/crunchy-postgres-op.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog-plugin-volumemounts-patch.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/app-config.rhdh.dev-sandbox-catalog-plugin.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/app-config.rhdh.urls.yaml
  • test.env
  • ci-scripts/rhdh-setup/template/backstage/olm/app-rbac-patch.yaml
  • ci-scripts/dev-sandbox/collect-results.sh
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog-plugin-patch.yaml
🚧 Files skipped from review as they are similar to previous changes (10)
  • ci-scripts/dev-sandbox/deploy.sh
  • ci-scripts/rhdh-setup/install-rhdh-catalog-source.sh
  • ci-scripts/rhdh-setup/template/backstage/olm/app-config.rhdh.db.yaml
  • ci-scripts/dev-sandbox/metrics-config.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog-plugin-volumes-patch.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/backstage.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog.rbac.yaml
  • ci-scripts/rhdh-setup/common.sh
  • ci-scripts/rhdh-setup/deploy.sh
  • ci-scripts/dev-sandbox/rhdh-perf-workloads.backstages.template.yaml

📝 Walkthrough

Summary by CodeRabbit

  • New Features

    • Added optional cache label filtering support for OLM-based installs.
    • Added an optional dev-sandbox catalog plugin for developer-hub, including RBAC and catalog scheduling configuration.
    • Expanded developer-hub metrics collection to include additional pod and deployment metadata.
  • Bug Fixes

    • Updated Backstage OLM templates to the newer API version and improved generated app configuration wiring (database, URLs, and techdocs volume).
    • Refined external configuration labeling behavior and updated sandbox/back-end config defaults.
  • Chores

    • Updated Postgres operator targeting and refreshed pinned image digests.
    • Kept metrics summary CSV generation consistent.

Walkthrough

The PR updates the Backstage CR and OLM templates, adds optional dev-sandbox catalog plugin wiring, propagates a cache-label filter flag through installation scripts, switches resource marking to an external-config label, and extends developer-hub monitoring.

Changes

RHDH OLM Upgrade and Dev-Sandbox Plugin

Layer / File(s) Summary
External-config label migration
ci-scripts/rhdh-setup/common.sh, ci-scripts/dev-sandbox/rhdh-perf-workloads.backstages.template.yaml
mark_resource_for_rhdh now applies only rhdh.redhat.com/external-config=true. The perf-workloads template adds the same label to generated ConfigMaps and Secrets, and updates the Backstage resource apiVersion and spec layout.
Cache label filter propagation
ci-scripts/rhdh-setup/install-rhdh-catalog-source.sh, ci-scripts/rhdh-setup/deploy.sh, ci-scripts/dev-sandbox/deploy.sh, test.env
ENABLE_CACHE_LABEL_FILTER is added to the catalog source install script, exported from rhdh-setup/deploy.sh, passed from the dev-sandbox deploy path, and documented in test.env.
Backstage CR and OLM config templates
ci-scripts/rhdh-setup/template/backstage/olm/backstage.yaml, ci-scripts/rhdh-setup/template/backstage/olm/app-config.rhdh.db.yaml, ci-scripts/rhdh-setup/template/backstage/olm/app-config.rhdh.urls.yaml, ci-scripts/rhdh-setup/template/backstage/app-config.yaml, ci-scripts/rhdh-setup/template/backstage/olm/app-rbac-patch.yaml
The Backstage CR moves to rhdh.redhat.com/v1alpha5, gains DB and URL ConfigMap references, switches off local DB, moves replicas under deployment.patch, adds the TechDocs PVC mount, removes keycloak from the base app config, and updates the RBAC CSV path.
Dev-sandbox catalog plugin templates
ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/*
New template files add the dev-sandbox catalog provider config, the plugin patch image reference, the kube-api-access projected volume and mount, and the RBAC manifest for developer-hub.
OLM install orchestration and plugin wiring
ci-scripts/rhdh-setup/deploy.sh
rhdh-setup/deploy.sh exports ENABLE_DEV_SANDBOX_CATALOG_PLUGIN, creates additional OLM app-config ConfigMaps, augments dynamic-plugins, extends resource tracking, patches backstage.yaml for RBAC, resources, NODE_OPTIONS, and optional dev-sandbox plugin wiring, marks app-config-rhdh in OLM mode, and deletes the dev-sandbox RBAC template during cleanup.
Dev-sandbox monitoring updates
ci-scripts/dev-sandbox/metrics-config.yaml, ci-scripts/dev-sandbox/collect-results.sh
metrics-config.yaml adds monitor_pod and pod_info entries for rhdh-developer-hub, and collect-results.sh rewrites the csvcut step that produces metrics.summary.csv.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check ❓ Inconclusive No pull request description was provided, so there is nothing meaningful to assess against the changeset. Add a brief description that states the purpose and scope of the changes, especially the dev-sandbox catalog plugin enablement.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: enabling the dev-sandbox catalog plugin.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@pmacik pmacik force-pushed the feat/RHIDP-14601 branch from 3ff758a to fa92b71 Compare June 23, 2026 12:54

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ci-scripts/dev-sandbox/rhdh-perf-workloads.backstages.template.yaml`:
- Line 134: The hardcoded BACKEND_SECRET value in the template file at line 134
should not be committed to version control as it exposes a predictable secret
across all deployments. Replace the hardcoded secret value with a reference to a
runtime-provided environment variable or secret management system (such as a
variable substitution pattern) that allows the actual secret to be injected at
deployment time rather than stored in git.

In `@ci-scripts/rhdh-setup/deploy.sh`:
- Around line 916-918: The failureThreshold variable calculated using the bc
command can evaluate to 0 for small datasets due to integer division, which
Kubernetes rejects. Modify the failureThreshold calculation to ensure it is
clamped to a minimum value of 1 by applying a conditional check or mathematical
operation (such as using the maximum function) after the bc calculation to
guarantee the value is at least 1 before it is substituted into the yq commands
that update the readinessProbe and livenessProbe configuration.

In
`@ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog-plugin-patch.yaml`:
- Around line 1-2: The OCI image reference for
quay.io/asoro/dev-sandbox-catalog-backend-module in the patch file uses a
mutable tag (0.4.0) which is insecure since this patch is appended directly to
the dynamic-plugins ConfigMap as trusted cluster code at runtime. Replace the
mutable tag with an immutable SHA256 digest by changing the package reference
from using the colon separator with the tag to the at symbol with the full
digest value provided in the comment, ensuring the image is pinned to a specific
immutable version.

In
`@ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog.rbac.yaml`:
- Around line 7-27: The ClusterRoleBinding named rhdh-useraccount-reader grants
unnecessary cluster-wide permissions for a namespace-scoped resource. Change the
kind from ClusterRoleBinding to RoleBinding in the second resource definition
and add a namespace field to its metadata set to ${RHDH_NAMESPACE} to properly
scope the binding to the specific namespace. The roleRef and subjects can remain
unchanged, but ensure the RoleBinding is now namespace-scoped rather than
cluster-scoped.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 380fb108-65b7-416a-84f4-55424f6f64ab

📥 Commits

Reviewing files that changed from the base of the PR and between e03232f and 3ff758a.

📒 Files selected for processing (18)
  • ci-scripts/dev-sandbox/collect-results.sh
  • ci-scripts/dev-sandbox/deploy.sh
  • ci-scripts/dev-sandbox/metrics-config.yaml
  • ci-scripts/dev-sandbox/rhdh-perf-workloads.backstages.template.yaml
  • ci-scripts/rhdh-setup/common.sh
  • ci-scripts/rhdh-setup/deploy.sh
  • ci-scripts/rhdh-setup/install-rhdh-catalog-source.sh
  • ci-scripts/rhdh-setup/template/backstage/app-config.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/app-config.rhdh.db.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/app-config.rhdh.urls.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/app-rbac-patch.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/backstage.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/app-config.rhdh.dev-sandbox-catalog-plugin.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog-plugin-patch.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog-plugin-volumemounts-patch.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog-plugin-volumes-patch.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog.rbac.yaml
  • test.env
💤 Files with no reviewable changes (1)
  • ci-scripts/rhdh-setup/template/backstage/app-config.yaml

Comment thread ci-scripts/dev-sandbox/rhdh-perf-workloads.backstages.template.yaml Outdated
Comment on lines +916 to +918
failureThreshold=$(bc -l <<<"scale=0; ($API_COUNT + $COMPONENT_COUNT + $BACKSTAGE_USER_COUNT + $GROUP_COUNT) / 2000")
yq -i '(.spec.deployment.patch.spec.template.spec.containers[] | select(.name == "backstage-backend") | .readinessProbe) = {"httpGet":{"path":"/healthcheck","port":7007,"scheme":"HTTP"},"initialDelaySeconds":60,"timeoutSeconds":5,"periodSeconds":60,"successThreshold":1,"failureThreshold":'"$failureThreshold"'}' "$backstage_yaml"
yq -i '(.spec.deployment.patch.spec.template.spec.containers[] | select(.name == "backstage-backend") | .livenessProbe) = {"httpGet":{"path":"/healthcheck","port":7007,"scheme":"HTTP"},"initialDelaySeconds":60,"timeoutSeconds":5,"periodSeconds":60,"successThreshold":1,"failureThreshold":'"$failureThreshold"'}' "$backstage_yaml"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Clamp probe failureThreshold to a valid minimum.

Line 916 can evaluate to 0 for common small datasets, and Lines 917-918 then write failureThreshold: 0, which Kubernetes rejects.

Suggested fix
-    failureThreshold=$(bc -l <<<"scale=0; ($API_COUNT + $COMPONENT_COUNT + $BACKSTAGE_USER_COUNT + $GROUP_COUNT) / 2000")
+    totalEntities=$((API_COUNT + COMPONENT_COUNT + BACKSTAGE_USER_COUNT + GROUP_COUNT))
+    failureThreshold=$(((totalEntities + 1999) / 2000))
+    if [ "$failureThreshold" -lt 1 ]; then
+        failureThreshold=1
+    fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
failureThreshold=$(bc -l <<<"scale=0; ($API_COUNT + $COMPONENT_COUNT + $BACKSTAGE_USER_COUNT + $GROUP_COUNT) / 2000")
yq -i '(.spec.deployment.patch.spec.template.spec.containers[] | select(.name == "backstage-backend") | .readinessProbe) = {"httpGet":{"path":"/healthcheck","port":7007,"scheme":"HTTP"},"initialDelaySeconds":60,"timeoutSeconds":5,"periodSeconds":60,"successThreshold":1,"failureThreshold":'"$failureThreshold"'}' "$backstage_yaml"
yq -i '(.spec.deployment.patch.spec.template.spec.containers[] | select(.name == "backstage-backend") | .livenessProbe) = {"httpGet":{"path":"/healthcheck","port":7007,"scheme":"HTTP"},"initialDelaySeconds":60,"timeoutSeconds":5,"periodSeconds":60,"successThreshold":1,"failureThreshold":'"$failureThreshold"'}' "$backstage_yaml"
totalEntities=$((API_COUNT + COMPONENT_COUNT + BACKSTAGE_USER_COUNT + GROUP_COUNT))
failureThreshold=$(((totalEntities + 1999) / 2000))
if [ "$failureThreshold" -lt 1 ]; then
failureThreshold=1
fi
yq -i '(.spec.deployment.patch.spec.template.spec.containers[] | select(.name == "backstage-backend") | .readinessProbe) = {"httpGet":{"path":"/healthcheck","port":7007,"scheme":"HTTP"},"initialDelaySeconds":60,"timeoutSeconds":5,"periodSeconds":60,"successThreshold":1,"failureThreshold":'"$failureThreshold"'}' "$backstage_yaml"
yq -i '(.spec.deployment.patch.spec.template.spec.containers[] | select(.name == "backstage-backend") | .livenessProbe) = {"httpGet":{"path":"/healthcheck","port":7007,"scheme":"HTTP"},"initialDelaySeconds":60,"timeoutSeconds":5,"periodSeconds":60,"successThreshold":1,"failureThreshold":'"$failureThreshold"'}' "$backstage_yaml"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-scripts/rhdh-setup/deploy.sh` around lines 916 - 918, The failureThreshold
variable calculated using the bc command can evaluate to 0 for small datasets
due to integer division, which Kubernetes rejects. Modify the failureThreshold
calculation to ensure it is clamped to a minimum value of 1 by applying a
conditional check or mathematical operation (such as using the maximum function)
after the bc calculation to guarantee the value is at least 1 before it is
substituted into the yq commands that update the readinessProbe and
livenessProbe configuration.

Comment on lines +1 to +2
- package: oci://quay.io/asoro/dev-sandbox-catalog-backend-module:0.4.0
disabled: false

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
curl -fsSI \
  -H 'Accept: application/vnd.oci.image.manifest.v1+json' \
  'https://quay.io/v2/asoro/dev-sandbox-catalog-backend-module/manifests/0.4.0' \
  | awk -F': ' 'tolower($1)=="docker-content-digest"{print $2}'

Repository: redhat-performance/backstage-performance

Length of output: 251


🏁 Script executed:

# First, check the actual file content
cat -n ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog-plugin-patch.yaml | head -20

Repository: redhat-performance/backstage-performance

Length of output: 294


🏁 Script executed:

# Search for deploy.sh to understand how this patch is used
fd deploy.sh

Repository: redhat-performance/backstage-performance

Length of output: 278


🏁 Script executed:

# Check if there are other image references with mutable tags
rg "oci://.*:[\d\.]+" ci-scripts/rhdh-setup/ -A 2 -B 2

Repository: redhat-performance/backstage-performance

Length of output: 470


🏁 Script executed:

# Examine the rhdh-setup deploy.sh to understand how it uses the patch file
cat -n ci-scripts/rhdh-setup/deploy.sh | head -100

Repository: redhat-performance/backstage-performance

Length of output: 6035


🏁 Script executed:

# Search for references to dev-sandbox-catalog-plugin-patch in the deploy script
rg "dev-sandbox-catalog-plugin-patch" ci-scripts/rhdh-setup/ -B 5 -A 5

Repository: redhat-performance/backstage-performance

Length of output: 1162


🏁 Script executed:

# Look for dynamic-plugins or ConfigMap references in deploy.sh
rg "dynamic-plugins|ConfigMap" ci-scripts/rhdh-setup/deploy.sh -B 3 -A 3

Repository: redhat-performance/backstage-performance

Length of output: 2005


Pin the OCI image to an immutable digest.

The patch file is appended directly to the dynamic-plugins ConfigMap at runtime by deploy.sh, making the mutable 0.4.0 tag trusted cluster code. Update to use the image digest instead:

      - package: oci://quay.io/asoro/dev-sandbox-catalog-backend-module@sha256:4990dfec347d30177415fed79fd61ca6ec81843e3fac077c636a85c0d040cb28
        disabled: false

Alternatively, move the image to a vetted internal registry.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog-plugin-patch.yaml`
around lines 1 - 2, The OCI image reference for
quay.io/asoro/dev-sandbox-catalog-backend-module in the patch file uses a
mutable tag (0.4.0) which is insecure since this patch is appended directly to
the dynamic-plugins ConfigMap as trusted cluster code at runtime. Replace the
mutable tag with an immutable SHA256 digest by changing the package reference
from using the colon separator with the tag to the at symbol with the full
digest value provided in the comment, ensuring the image is pinned to a specific
immutable version.

Comment on lines +7 to +27
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: rhdh-useraccount-reader
rules:
- apiGroups: ["toolchain.dev.openshift.com"]
resources: ["useraccounts"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: rhdh-useraccount-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: rhdh-useraccount-reader
subjects:
- kind: ServiceAccount
name: developer-hub
namespace: ${RHDH_NAMESPACE}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
rg -n -C4 'name: useraccounts(\.toolchain\.dev\.openshift\.com)?|group: toolchain.dev.openshift.com|scope:' .

Repository: redhat-performance/backstage-performance

Length of output: 178


🏁 Script executed:

# Search for any reference to toolchain in the repository
rg -i 'toolchain' --type yaml --type yml -n | head -20

Repository: redhat-performance/backstage-performance

Length of output: 206


🏁 Script executed:

# Also search for any CRD definitions or scope declarations in the repo
fd -name "*.yaml" -o -name "*.yml" | xargs grep -l "scope:" 2>/dev/null | head -10

Repository: redhat-performance/backstage-performance

Length of output: 409


🌐 Web query:

toolchain.dev.openshift.com useraccounts CRD scope namespaced cluster

💡 Result:

The UserAccount custom resource definition (CRD) with the group toolchain.dev.openshift.com is namespaced, not cluster-scoped [1]. In the context of the CodeReady Toolchain architecture, UserAccount resources are created within specific namespaces (often managed by the member operator, such as toolchain-member-operator) to maintain information about users provisioned within that specific member cluster [1]. While the Toolchain control plane may manage resources across multiple clusters (host and member clusters), the UserAccount resource itself is scoped to a namespace within the cluster where it resides [1].

Citations:


Change ClusterRoleBinding to RoleBinding for namespace-scoped access.

The toolchain.dev.openshift.com/useraccounts resource is namespaced, not cluster-scoped. Using ClusterRoleBinding grants unnecessary cluster-wide permissions; a RoleBinding scoped to the ${RHDH_NAMESPACE} namespace aligns with the least-privilege principle.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog.rbac.yaml`
around lines 7 - 27, The ClusterRoleBinding named rhdh-useraccount-reader grants
unnecessary cluster-wide permissions for a namespace-scoped resource. Change the
kind from ClusterRoleBinding to RoleBinding in the second resource definition
and add a namespace field to its metadata set to ${RHDH_NAMESPACE} to properly
scope the binding to the specific namespace. The roleRef and subjects can remain
unchanged, but ensure the RoleBinding is now namespace-scoped rather than
cluster-scoped.

@pmacik pmacik force-pushed the feat/RHIDP-14601 branch 2 times, most recently from 73f973c to 2caf5b9 Compare June 25, 2026 06:09

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ci-scripts/dev-sandbox/rhdh-perf-workloads.backstages.template.yaml`:
- Around line 77-83: The legacy external access secret is hardcoded in the
generated backend secret config, so update the template section that renders
app-config.rhdh.backend-secret.yaml to source externalAccess.options.secret from
the BACKEND_SECRET environment value instead of a fixed string. Use the existing
BACKEND_SECRET injection in the pod spec as the runtime-provided secret source,
and keep the configuration aligned with the backend auth settings in this
template.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 36b2c455-e59f-434d-9ba8-ded3399e50b8

📥 Commits

Reviewing files that changed from the base of the PR and between 3ff758a and 2caf5b9.

📒 Files selected for processing (18)
  • ci-scripts/dev-sandbox/collect-results.sh
  • ci-scripts/dev-sandbox/deploy.sh
  • ci-scripts/dev-sandbox/metrics-config.yaml
  • ci-scripts/dev-sandbox/rhdh-perf-workloads.backstages.template.yaml
  • ci-scripts/rhdh-setup/common.sh
  • ci-scripts/rhdh-setup/deploy.sh
  • ci-scripts/rhdh-setup/install-rhdh-catalog-source.sh
  • ci-scripts/rhdh-setup/template/backstage/app-config.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/app-config.rhdh.db.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/app-config.rhdh.urls.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/app-rbac-patch.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/backstage.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/app-config.rhdh.dev-sandbox-catalog-plugin.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog-plugin-patch.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog-plugin-volumemounts-patch.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog-plugin-volumes-patch.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog.rbac.yaml
  • test.env
💤 Files with no reviewable changes (1)
  • ci-scripts/rhdh-setup/template/backstage/app-config.yaml
✅ Files skipped from review due to trivial changes (8)
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog-plugin-volumemounts-patch.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/app-rbac-patch.yaml
  • ci-scripts/dev-sandbox/collect-results.sh
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog-plugin-patch.yaml
  • test.env
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog.rbac.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/app-config.rhdh.urls.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/app-config.rhdh.db.yaml
🚧 Files skipped from review as they are similar to previous changes (8)
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/dev-sandbox-catalog-plugin-volumes-patch.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/dev-sandbox/app-config.rhdh.dev-sandbox-catalog-plugin.yaml
  • ci-scripts/dev-sandbox/metrics-config.yaml
  • ci-scripts/rhdh-setup/template/backstage/olm/backstage.yaml
  • ci-scripts/rhdh-setup/common.sh
  • ci-scripts/dev-sandbox/deploy.sh
  • ci-scripts/rhdh-setup/install-rhdh-catalog-source.sh
  • ci-scripts/rhdh-setup/deploy.sh

Comment thread ci-scripts/dev-sandbox/rhdh-perf-workloads.backstages.template.yaml Outdated
@pmacik pmacik force-pushed the feat/RHIDP-14601 branch from 2caf5b9 to 81a42b4 Compare June 25, 2026 10:29
Signed-off-by: Pavel Macík <pavel.macik@gmail.com>
@pmacik pmacik force-pushed the feat/RHIDP-14601 branch from 81a42b4 to 891b998 Compare June 25, 2026 14:58
@pmacik

pmacik commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator Author

/unhold

@openshift-ci

openshift-ci Bot commented Jun 30, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pmacik, shashankkestwal

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [pmacik,shashankkestwal]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot Bot merged commit ba39e41 into redhat-performance:main Jun 30, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants