Release notes
Release notes for Red Hat Developer Hub 1.4
Abstract
Preface
Red Hat Developer Hub (Developer Hub) 1.4 is now generally available. Developer Hub is a fully supported, enterprise-grade productized version of upstream Backstage v1.32.6. You can access and download the Red Hat Developer Hub application from the Red Hat Customer Portal or from the Ecosystem Catalog.
Chapter 1. New features
This section highlights new features in Red Hat Developer Hub 1.4.
1.1. Added an individual mountPath
This update adds an additional individual mountPath
for extra configmaps or secrets.
1.2. PersistentVolumeClaims
support is available
With this update, PersistentVolumeClaims
(PVC) support is available.
1.3. Added Configuration Profiles
With this update, there are additional configuration profiles.
1.4. Enhanced use of kube-rbac-proxy
This update removes the kube-rbac-proxy
sidecar container from the RHDH Operator Pod. This sidecar container protected the operator metrics endpoint. However, the main container now provides this functionality out-of-the-box. Removing this sidecar container allows for reducing the resources required to run the Operator.
1.5. Identifying the Backstage flavor for plugins
With this update, you can use the developerHub.flavor
field to identify whether plugins are running on RHDH, RHTAP, or vanilla Backstage, as shown in the following example:
app-config.yaml
fragment with the developerhub.flavor
field
developerHub: flavor: <flavor>;
flavor
-
Identify the flavor of Backstage that is running. Default value:
rhdh
1.6. Ability to manage PVCs in RHDH Operator
You can now mount directories from pre-created PersistentVolumeClaims (PVCs) using the spec.application.extraFiles.pvcs
field, while configuring RHDH Operator. For more information, see Persistent Volume Claim (PVC).
1.7. Authenticating with Red Hat Build of Keycloak
With this update, you can use Red Hat Build of Keycloak as an authentication provider. The Keycloak plugin will now support ingesting users and groups with Red Hat Build of Keycloak. For more details, see Authentication with Red Hat Build of Keycloak.
1.8. Ability to install third-party plugins in RHDH
You can now install third-party plugins in Red Hat Developer Hub without rebuilding the RHDH application.
For more information, see Third party plugins.
1.9. The catalog backend module logs plugin is enabled
With this update, the backstage-plugin-catalog-backend-module-logs
is enabled and converted to a static plugin improving performance and stability. The dynamic plugin was disabled in version 1.3
.
Chapter 2. Breaking changes
This section lists breaking changes in Red Hat Developer Hub 1.4.
2.1. Updated monitoring and logging metrics
Prom-client metrics have been removed and replaced with OpenTelemetry metrics. As a result, the metrics port has changed from 7007
to 9464
. Deprecated metrics have also been removed. If you had dependencies on these, ensure your prometheus queries are updated. For further information, see Monitoring and logging
Additional resources
2.2. Plugins with updated scope
Some plugins previously under the @janus-idp
scope have moved to @backstage/community
:
Plugin Name | Plugin Name |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Two plugins previously under the @janus-idp scope have moved to @red-hat-developer-hub:
Plugin Name | RHDH |
|
|
|
|
Chapter 3. Deprecated functionalities
This section lists deprecated functionalities in Red Hat Developer Hub 1.4.
3.1. ./dynamic-plugins/dist/janus-idp-backstage-plugin-aap-backend-dynamic
plugin is deprecated
The ./dynamic-plugins/dist/janus-idp-backstage-plugin-aap-backend-dynamic
plugin has been deprecated and will be removed in the next release. You can use Ansible plug-ins for RHDH instead.
Additional resources
3.2. Audit log rotation is deprecated
With this update, you can evaluate your platform’s log forwarding solutions to align with your security and compliance needs. Most of these solutions offer configurable options to minimize the loss of logs in the event of an outage.
Additional resources
3.3. Red Hat Single-Sign On 7.6
is deprecated as an authentication provider
Red Hat Single-Sign On (RHSSO) 7.6
is deprecated as an authentication provider. You can continue to use RHSSO until the end of maintenance support. For details, see RHSSO lifecycle dates. As an alternative, migrate to Red Hat Build of Keycloak v24
.
Additional resources
Chapter 4. Technology Preview
This section lists Technology Preview features in Red Hat Developer Hub 1.4.
Technology Preview features provide early access to upcoming product innovations, enabling you to test functionality and provide feedback during the development process. However, these features are not fully supported under Red Hat Subscription Level Agreements, may not be functionally complete, and are not intended for production use. As Red Hat considers making future iterations of Technology Preview features generally available, we will attempt to resolve any issues that customers experience when using these features. See: Technology Preview support scope.
4.1. Added notification backend plugins
With this update, Developer Hub includes the following dynamic plugins to manage and streamline notification delivery:
These plugins are disabled by default.
Chapter 5. Fixed issues
This section lists issues fixed in Red Hat Developer Hub 1.4.
5.1. Fixed issues in 1.4
5.1.1. GitHub issues plugin supports multiple GitHub integration hosts
Previously, the GitHub issues plugin defaulted to using the first GitHub integration it detected for all components. This behavior made it incompatible with setups involving multiple GitHub integration hosts.
Now, GitHub issues plugin supports multiple GitHub integration hosts. It uses the well-known entity slug annotation backstage.io/source-location
or backstage.io/managed-by-location
to determine the appropriate GitHub integration for a component. If no integration matches the slug, the first GitHub integration is selected, maintaining the previous behavior.
Additional resources
5.1.2. All API documentation is defined in the 3scale backend plugin
Previously, some API documentation defined in the 3scale backend plugin was not accessible in RHDH.
With this update, all API documentation defined in the 3scale backend plugin is imported and merged in the RHDH.
Additional resources
5.1.3. RHDH helm chart deployment throws NotAllowedError
Previously, when deploying with the Helm Chart, there could be a mismatch between the Route hostname and the baseUrl
fields added to the generated app-config ConfigMap. This could sometimes cause failure to authenticate against some providers due to an origin mismatch.
This update fixes this issue by ensuring no mismatch between those values.
Additional resources
5.1.4. Disable the creation of permission policies and roles when disabling the RBAC backend plugin
Previously, disabling the Role-Based Access Control (RBAC) backend plugin created roles and permission policies, whether the permission framework was enabled or not.
With this update, disabling the RBAC backend plugin no longer creates roles and permission policies.
Additional resources
5.1.5. Added alert on the deletion icon during bulk imports
Before this update, repositories were added to the Developer Hub from various sources, such as app-config
files or GitHub discovery. The Bulk Import plugin only tracked repositories accessible using the configured GitHub integrations. When both plugins were enabled, repositories discovered by GitHub Discovery appeared on Bulk Import pages. However, deleting these repositories from Bulk Import Jobs had no effect, as entities from discovery or app-config.yaml
file remained in the Developer Hub catalog.
With this update, an alert on the deletion icon notifies the user to modify the source (either the catalog-info
within the repository or the app-config.yaml
file if the file originates from there) to remove the catalog entity.
Additional resources
5.1.6. Removed the pre-configured custom resources from the Kubernetes configuration
Before this update, the custom resources in Kubernetes configuration were pre-configured. As a result, users could see Tekton warnings without configuring the custom resources in Kubernetes.
This update removes the pre-configured custom resources from the Kubernetes configuration. Therefore, users can customize resources to the Kubernetes configuration based on their requirements, preventing unrelated warnings from appearing.
Additional resources
5.1.7. RBAC Plugin is broken with latest Backstage version (1.31
)
Before this update, Role-Based Access Control (RBAC) backend plugin broke in Backstage 1.31
with an error.
This update resolves compatibility issues with RBAC backend plugin on Backstage versions 1.31
and 1.32
without displaying any errors.
Additional resources
5.1.8. The backstage instance always failed to start in version 5.1.0
Before this update, the backstage instance failed to start in version 5.1.0
, showing an error.
With this update, the Role-Based Access Control (RBAC) Backend plugin now starts successfully in version 5.1.0
without displaying any errors.
Additional resources
5.1.9. Resolved RBAC API inconsistency when scaling deployments to more than one pod
Before this update, scaling the deployment to more than one pod caused Role-Based Access Control (RBAC) roles to remain unsynced, allowing only the pod that created the resource to serve it.
With this update, RBAC roles are now properly synced across all pods, with Redis cache and traffic routing configured to ensure consistency across the deployment.
Additional resources
5.1.10. export-dynamic-plugin
fails to find dependencies nested deeper than one level in node_modules
Previously, the CLI examined the dependencies of embedded packages during the export process to know if other packages should be embedded. One of the methods was calling {{require}} when the CLI encountered a built embedded package, which was the case when wrapping an existing plugin.
This update changes the parent directory that the {{require}} uses from the monorepo root to the embedded package. Therefore, the dependent package found is the dependency that is most relevant to the embedded package.
Additional resources
5.1.11. suppress-native-package
and allow-native-package
flags to handle native modules
Previously, the CLI failed with a message that native modules are not supported.
This update introduces two new CLI flags that help dynamic plugin developers handle native modules. Both flags accept a list of packages. The --suppress-native-package
flag does not require the native module at runtime. It replaces the native module with an empty package that displays an error. The --allow-native-package
flag instructs the CLI to allow the native package during checks, and tests a plugin that uses a native module.
Additional resources
5.1.12. Resolved the issue with text selection when reporting a TechDoc issue
Previously, the feature to report a documentation (TechDoc) issue failed. Therefore, when a user selected a text in a TechDoc, a large icon appeared instead of a tooltip button.
With this update, users can select texts when reporting a documentation (TechDoc) issue.
Additional resources
5.1.13. Resolved the stdout maxBuffer
error
Previously, the export-dynamic-plugin
failed with an error that the stdout maxBuffer
length was exceeded.
With this update, the CLI redirects the output of the {{yarn install}} command it performs during the export process to a file. Therefore, a successful completion of the {{yarn install}} command and verification of the export-dynamic-plugin
, cleans up the file. The file is available for troubleshooting when the dynamic plugin validation checks fail.
Additional resources
5.1.14. Added an --ignore-version-check
flag
Previously, exporting a plugin that has not been updated to a newer backstage version failed due to a semver check performed on dependencies of the dynamic plugin package.
With this update, an --ignore-version-check
flag accepts a list of package names causing the CLI to selectively ignore the semver check the CLI performs when evaluating the plugin package dependencies. Therefore, a plugin that has not been updated works because it relies on unchanged interfaces and functions.
Additional resources
5.1.15. Updated the Tech Radar plugin
With this update, you are now required to enable both ./dynamic-plugins/dist/backstage-community-tech-radar
and ./dynamic-plugins/dist/backstage-community-tech-radar-backend-dynamic
to use the Tech Radar plugin. You must configure additional settings depending on where you choose to load the JSON data for the plugin.
Additional resources
Chapter 6. Fixed security issues
This section lists security issues fixed in Red Hat Developer Hub 1.4.
6.1. Red Hat Developer Hub 1.4.0
6.1.1. Red Hat Developer Hub dependency updates
- CVE-2024-24790
- A flaw was found in the Go language standard library net/netip. The method Is*() (IsPrivate(), IsPublic(), etc) doesn’t behave properly when working with IPv6 mapped to IPv4 addresses. The unexpected behavior can lead to integrity and confidentiality issues, specifically when these methods are used to control access to resources or data.
- CVE-2024-24791
- A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.
- CVE-2024-35255
- A flaw was found in the Azure identity library at github.com/Azure/azure-sdk-for-go/sdk/azidentity. This issue allows an elevation of privileges.
- CVE-2024-37891
-
A flaw was found in urllib3, an HTTP client library for Python. In certain configurations, urllib3 does not treat the
Proxy-Authorization
HTTP header as one carrying authentication material. This issue results in not stripping the header on cross-origin redirects. - CVE-2024-39008
- A flaw was found in the fast-loops Node.js package. This flaw allows an attacker to alter the behavior of all objects inheriting from the affected prototype by passing arguments to the objectMergeDeep function crafted with the built-in property: proto. This issue can potentially lead to a denial of service, remote code execution, or Cross-site scripting.
- CVE-2024-39249
- A flaw was found in the async Node.js package. A Regular expression Denial of Service (ReDoS) attack can potentially be triggered via the autoinject function while parsing specially crafted input.
6.1.2. RHEL 9 platform RPM updates
- CVE-2023-52439
- A flaw was found in the Linux kernel’s uio subsystem. A use-after-free memory flaw in the uio_open functionality allows a local user to crash or escalate their privileges on the system.
- CVE-2023-52884
- In the Linux kernel, the following vulnerability has been resolved: Input: cyapa - add missing input core locking to suspend/resume functions
- CVE-2024-26739
- A use-after-free flaw was found in net/sched/act_mirred.c in the Linux kernel. This may result in a crash.
- CVE-2024-26929
- In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix double free of fcport
- CVE-2024-26930
- A vulnerability was found in the Linux kernel. A potential double-free in the pointer ha→vp_map exists in the Linux kernel in drivers/scsi/qla2xxx/qla_os.c.
- CVE-2024-26931
- In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix command flush on cable pull
- CVE-2024-26947
- A flaw was found in the Linux kernel’s ARM memory management functionality, where certain memory layouts cause a kernel panic. This flaw allows an attacker who can specify or alter memory layouts to cause a denial of service.
- CVE-2024-26991
- A flaw was found in the Linux Kernel. A lpage_info overflow can occur when checking attributes. This may lead to a crash.
- CVE-2024-27022
- In the Linux kernel, the following vulnerability has been resolved: fork: defer linking file vma until vma is fully initialized
- CVE-2024-35895
- In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Prevent lock inversion deadlock in map delete elem
- CVE-2024-36016
- In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
- CVE-2024-36899
- In the Linux kernel, the following vulnerability has been resolved: gpiolib: cdev: Fix use after free in lineinfo_changed_notify
- CVE-2024-38562
- In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: Avoid address calculations via out of bounds array indexing
- CVE-2024-38570
- In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount
- CVE-2024-38573
- A NULL pointer dereference flaw was found in cppc_cpufreq_get_rate() in the Linux kernel. This issue may result in a crash.
- CVE-2024-38601
- In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix a race between readers and resize checks
- CVE-2024-38615
- In the Linux kernel, the following vulnerability has been resolved: cpufreq: exit() callback is optional
- CVE-2024-39331
- A flaw was found in Emacs. Arbitrary shell commands can be executed without prompting when an Org mode file is opened or when the Org mode is enabled, when Emacs is used as an email client, this issue can be triggered when previewing email attachments.
- CVE-2024-40984
- In the Linux kernel, the following vulnerability has been resolved: ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine."
- CVE-2024-41071
- An out-of-bounds buffer overflow has been found in the Linux kernel’s mac80211 subsystem when scanning for SSIDs. Address calculation using out-of-bounds array indexing could result in an attacker crafting an exploit, resulting in the complete compromise of a system.
- CVE-2024-42225
- A potential flaw was found in the Linux kernel’s MediaTek WiFi, where it was reusing uninitialized data. This flaw allows a local user to gain unauthorized access to some data potentially.
- CVE-2024-42246
- In the Linux kernel, the following vulnerability has been resolved: net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket
- CVE-2024-45490
- A flaw was found in libexpat’s xmlparse.c component. This vulnerability allows an attacker to cause improper handling of XML data by providing a negative length value to the XML_ParseBuffer function.
- CVE-2024-45491
- An issue was found in libexpat’s internal dtdCopy function in xmlparse.c, It can have an integer overflow for nDefaultAtts on 32-bit platforms where UINT_MAX equals SIZE_MAX.
- CVE-2024-45492
- A flaw was found in libexpat’s internal nextScaffoldPart function in xmlparse.c. It can have an integer overflow for m_groupSize on 32-bit platforms where UINT_MAX equals SIZE_MAX.
- CVE-2024-6119
- A flaw was found in OpenSSL. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process.
Chapter 7. Known issues
This section lists known issues in Red Hat Developer Hub 1.4.
7.1. Topology plugin permission is not displayed in the RBAC front-end UI
Permissions associated only with front-end plugins do not appear in the UI because they require a backend plugin to expose the permission framework's well-known endpoint. As a workaround, you can apply these permissions by using a CSV file or directly calling the REST API of the RBAC backend plugin. Affected plugins include Topology (topology.view.read
), Tekton (tekton.view.read
), ArgoCD (argocd.view.read
), and Quay (quay.view.read
).
Additional resources
7.2. Unable to run two RHDH replicas on different nodes due to Multi-Attach errors on dynamic plugins root PVC
Currently, when deploying Developer Hub using the Helm Chart, two replicas cannot run on different cluster nodes. This might also affect the upgrade from 1.3 to 1.4.0 if the new pod is scheduled on a different node.
A possible workaround for the upgrade is to manually scale down the number of replicas to 0 before upgrading your Helm release. Or manually remove the old Developer Hub pod after upgrading the Helm release. However, this would imply some application downtime. You can also leverage a Pod Affinity rule to force the cluster scheduler to run your Developer Hub pods on the same node.
Additional resources