Complete Helm chart values reference for execution environment builder

A complete Helm chart values configuration for execution environment builder with GitHub App authentication, content discovery, and private automation hub enabled.

Example configuration

The following example shows all execution environment builder settings in context. Adapt this to your environment.

upstream:
    backstage:
      appConfig:
        integrations:
          github:
            - host: github.com
              apps:
                - appId: ${GITHUB_APP_ID}
                  clientId: ${GITHUB_APP_CLIENT_ID}
                  clientSecret: ${GITHUB_APP_CLIENT_SECRET}
                  privateKey: ${GITHUB_APP_PRIVATE_KEY}

        backend:
          cors:
            origin:
              - ${BASE_URL}
              ## Add self-hosted Git provider URLs if not using github.com / gitlab.com:
              # - https://github.internal.example.com
              # - https://gitlab.internal.example.com

        auth:
          providers:
            github:
              production:
                clientId: ${GITHUB_OAUTH_CLIENT_ID}
                clientSecret: ${GITHUB_OAUTH_CLIENT_SECRET}

        catalog:
          locations:
            - type: url
              target: https://github.com/ansible/ansible-rhdh-templates/blob/v2.0.0/templates/ee-start-from-scratch.yaml
              rules:
                - allow: [Template]
            - type: url
              target: https://github.com/ansible/ansible-rhdh-templates/blob/v2.0.0/templates/ee-cloud-automation.yaml
              rules:
                - allow: [Template]
            - type: url
              target: https://github.com/ansible/ansible-rhdh-templates/blob/v2.0.0/templates/ee-network-automation.yaml
              rules:
                - allow: [Template]

          providers:
            rhaap:
              production:
                sync:
                  ansibleGitContents:
                    enabled: true
                    schedule:
                      frequency: {minutes: 120}
                      timeout: {minutes: 30}
                    providers:
                      github:
                        - name: "github-org"
                          host: github.com
                          checkSSL: true
                          orgs:
                            - name: <your_github_org>
                              branches: [main, master]
                              tags: ['v*']
                              galaxyFilePaths: []
                              crawlDepth: 0

                  pahCollections:
                    enabled: true
                    repositories:
                      - name: rh-certified
                        schedule:
                          frequency: {days: 1}
                          timeout: {minutes: 60}
                      - name: validated
                        schedule:
                          frequency: {days: 1}
                          timeout: {minutes: 60}
                      - name: published
                        schedule:
                          frequency: {days: 1}
                          timeout: {minutes: 60}

          ansible:
            skipTlsVerifyForHosts: []

        ansible:
          rhaap:
            baseUrl: https://aap.example.com
            token: ${AAP_API_TOKEN}
Note

Replace placeholder values (${...}, <your_github_org>, aap.example.com) with your actual environment values. Secrets referenced with ${...} are resolved from the secrets-scm OpenShift secret at runtime.

RHEL appliance configuration reference

The following example shows the equivalent configuration for RHEL appliance deployments in /etc/portal/configs/app-config/app-config.production.yaml. RHEL configuration omits the upstream.backstage.appConfig nesting used by the Helm chart.

integrations:
    github:
      - host: github.com
        apps:
          - appId: ${GITHUB_APP_ID}
            clientId: ${GITHUB_APP_CLIENT_ID}
            clientSecret: ${GITHUB_APP_CLIENT_SECRET}
            privateKey: ${GITHUB_APP_PRIVATE_KEY}

  backend:
    cors:
      origin:
        - "https://portal.example.com"
        ## Add self-hosted Git provider URLs if not using github.com / gitlab.com:
        # - "https://github.internal.example.com"
        # - "https://gitlab.internal.example.com"

  auth:
    providers:
      github:
        production:
          clientId: ${GITHUB_OAUTH_CLIENT_ID}
          clientSecret: ${GITHUB_OAUTH_CLIENT_SECRET}

  catalog:
    providers:
      rhaap:
        production:
          sync:
            ansibleGitContents:
              enabled: true
              schedule:
                frequency: {minutes: 120}
                timeout: {minutes: 30}
              providers:
                github:
                  - name: "github-org"
                    host: github.com
                    checkSSL: true
                    orgs:
                      - name: <your_github_org>
                        branches: [main, master]
                        tags: ['v*']
                        galaxyFilePaths: []

            pahCollections:
              enabled: true
              repositories:
                - name: rh-certified
                  schedule:
                    frequency: {days: 1}
                    timeout: {minutes: 60}
                - name: validated
                  schedule:
                    frequency: {days: 1}
                    timeout: {minutes: 60}

    ansible:
      skipTlsVerifyForHosts: []

  ansible:
    rhaap:
      baseUrl: https://aap.example.com
      token: ${AAP_API_TOKEN}
Note

The ${...} references are resolved from Podman secrets through the Quadlet drop-in file (ee-builder-secrets.conf). PAT-based secrets (portal_github_token, portal_gitlab_token) are managed by the base portal infrastructure and do not require a drop-in entry.

Key configuration sections

integrations.github
Git provider authentication. Configure either a PAT (token) or a GitHub App (apps), not both. See Configure a GitHub App for content discovery or Configure a Personal Access Token for GitHub.
backend.cors.origin
CORS allowed origins. Add self-hosted Git provider URLs if not using github.com or gitlab.com.
auth.providers.github
OAuth App credentials for saving definition files and automated builds. See Configure a GitHub OAuth App for saving definitions.
catalog.locations
EE Builder wizard templates. Replace with private repository URLs for air-gapped environments. See Host EE wizard templates in a private Git repository.
catalog.providers.rhaap.production.sync.ansibleGitContents
Git content discovery configuration. See Configure collection discovery sources.
catalog.providers.rhaap.production.sync.pahCollections
Private automation hub collection discovery. See Configure collection discovery sources.
ansible.rhaap
Ansible Automation Platform connection settings including base URL and API token.
catalog.ansible.skipTlsVerifyForHosts
Hosts where TLS verification is skipped for catalog interactions. See Host EE wizard templates in a private Git repository.