Release notes


Red Hat Developer Hub 1.4

Release notes for Red Hat Developer Hub 1.4

Red Hat Customer Content Services

Abstract

Red Hat Developer Hub is a developer platform for building developer portals. This document contains release notes for the Red Hat Developer Hub 1.4.

Preface

Red Hat Developer Hub (Developer Hub) 1.4 is now generally available. Developer Hub is a fully supported, enterprise-grade productized version of upstream Backstage v1.32.6. You can access and download the Red Hat Developer Hub application from the Red Hat Customer Portal or from the Ecosystem Catalog.

Chapter 1. New features

This section highlights new features in Red Hat Developer Hub 1.4.

1.1. Added an individual mountPath

This update adds an additional individual mountPath for extra configmaps or secrets.

1.2. PersistentVolumeClaims support is available

With this update, PersistentVolumeClaims (PVC) support is available.

1.3. Added Configuration Profiles

With this update, there are additional configuration profiles.

1.4. Enhanced use of kube-rbac-proxy

This update removes the kube-rbac-proxy sidecar container from the RHDH Operator Pod. This sidecar container protected the operator metrics endpoint. However, the main container now provides this functionality out-of-the-box. Removing this sidecar container allows for reducing the resources required to run the Operator.

1.5. Identifying the Backstage flavor for plugins

With this update, you can use the developerHub.flavor field to identify whether plugins are running on RHDH, RHTAP, or vanilla Backstage, as shown in the following example:

app-config.yaml fragment with the developerhub.flavor field

developerHub:
  flavor: <flavor>;

flavor
Identify the flavor of Backstage that is running. Default value: rhdh

1.6. Ability to manage PVCs in RHDH Operator

You can now mount directories from pre-created PersistentVolumeClaims (PVCs) using the spec.application.extraFiles.pvcs field, while configuring RHDH Operator. For more information, see Persistent Volume Claim (PVC).

1.7. Authenticating with Red Hat Build of Keycloak

With this update, you can use Red Hat Build of Keycloak as an authentication provider. The Keycloak plugin will now support ingesting users and groups with Red Hat Build of Keycloak. For more details, see Authentication with Red Hat Build of Keycloak.

1.8. Ability to install third-party plugins in RHDH

You can now install third-party plugins in Red Hat Developer Hub without rebuilding the RHDH application.

For more information, see Third party plugins.

1.9. The catalog backend module logs plugin is enabled

With this update, the backstage-plugin-catalog-backend-module-logs is enabled and converted to a static plugin improving performance and stability. The dynamic plugin was disabled in version 1.3.

Chapter 2. Breaking changes

This section lists breaking changes in Red Hat Developer Hub 1.4.

2.1. Updated monitoring and logging metrics

Prom-client metrics have been removed and replaced with OpenTelemetry metrics. As a result, the metrics port has changed from 7007 to 9464. Deprecated metrics have also been removed. If you had dependencies on these, ensure your prometheus queries are updated. For further information, see Monitoring and logging

Additional resources

2.2. Plugins with updated scope

Some plugins previously under the @janus-idp scope have moved to @backstage/community:

Plugin Name

Plugin Name

@janus-idp/backstage-plugin-acr

@backstage-community/plugin-acr

@janus-idp/backstage-plugin-azure-devops

@backstage-community/plugin-azure-devops

@janus-idp/backstage-plugin-azure-devops-backend

@backstage-community/plugin-azure-devops-backend

@janus-idp/backstage-plugin-3scale-backend

@backstage-community/plugin-3scale-backend

@janus-idp/backstage-plugin-dynatrace

@backstage-community/plugin-dynatrace

@janus-idp/backstage-plugin-github-actions

@backstage-community/plugin-github-actions

@janus-idp/backstage-plugin-github-issues

@backstage-community/plugin-github-issues

@janus-idp/backstage-plugin-jenkins

@backstage-community/plugin-jenkins

@janus-idp/backstage-plugin-jenkins-backend

@backstage-community/plugin-jenkins-backend

@janus-idp/backstage-plugin-keycloak-backend

@backstage-community/plugin-catalog-backend-module-keycloak

@janus-idp/backstage-plugin-tekton

@backstage-community/plugin-tekton

@janus-idp/backstage-plugin-tech-radar

@backstage-community/plugin-tech-radar

@janus-idp/backstage-plugin-tech-radar-backend

@backstage-community/plugin-tech-radar-backend

@janus-idp/backstage-plugin-sonarqube

@backstage-community/plugin-sonarqube

@janus-idp/backstage-plugin-sonarqube-backend

@backstage-community/plugin-sonarqube-backend

@janus-idp/backstage-plugin-lighthouse

@backstage-community/plugin-lighthouse

@janus-idp/backstage-plugin-nexus-repository-manager

@backstage-community/plugin-nexus-repository-manager

@janus-idp/backstage-plugin-topology

@backstage-community/plugin-topology

@janus-idp/backstage-plugin-jfrog-artifactory

@backstage-community/plugin-jfrog-artifactory

@janus-idp/backstage-plugin-ocm

@backstage-community/plugin-ocm

@janus-idp/backstage-plugin-ocm-backend

@backstage-community/plugin-ocm-backend

@janus-idp/backstage-plugin-rbac

@backstage-community/plugin-rbac

@janus-idp/backstage-plugin-redhat-argocd

backstage-community/plugin-redhat-argocd

@janus-idp/backstage-plugin-rbac-backend

@backstage-community/plugin-rbac-backend

@janus-idp/backstage-catalog-backend-module-pingidentity

@backstage-community/plugin-catalog-backend-module-pingidentity

@janus-idp/backstage-scaffolder-backend-module-regex

@backstage-community/plugin-scaffolder-backend-module-regex

@janus-idp/backstage-plugin-quay

@backstage-community/plugin-quay

@janus-idp/backstage-scaffolder-backend-module-sonarqube

@backstage-community/plugin-scaffolder-backend-module-sonarqube

@janus-idp/backstage-scaffolder-backend-module-servicenow

@backstage-community/plugin-scaffolder-backend-module-servicenow

@janus-idp/backstage-plugin-analytics-provider-segment

@backstage-community/plugin-analytics-provider-segment

@janus-idp/backstage-plugin-scaffolder-backend-module-quay

@backstage-community/plugin-scaffolder-backend-module-quay

Two plugins previously under the @janus-idp scope have moved to @red-hat-developer-hub:

Plugin Name

RHDH

@janus-idp/backstage-plugin-bulk-import

@red-hat-developer-hub/backstage-plugin-bulk-import

@janus-idp/backstage-plugin-bulk-import-backend

@red-hat-developer-hub/backstage-plugin-bulk-import-backend

Chapter 3. Deprecated functionalities

This section lists deprecated functionalities in Red Hat Developer Hub 1.4.

3.1. ./dynamic-plugins/dist/janus-idp-backstage-plugin-aap-backend-dynamic plugin is deprecated

The ./dynamic-plugins/dist/janus-idp-backstage-plugin-aap-backend-dynamic plugin has been deprecated and will be removed in the next release. You can use Ansible plug-ins for RHDH instead.

Additional resources

3.2. Audit log rotation is deprecated

With this update, you can evaluate your platform’s log forwarding solutions to align with your security and compliance needs. Most of these solutions offer configurable options to minimize the loss of logs in the event of an outage.

Additional resources

3.3. Red Hat Single-Sign On 7.6 is deprecated as an authentication provider

Red Hat Single-Sign On (RHSSO) 7.6 is deprecated as an authentication provider. You can continue to use RHSSO until the end of maintenance support. For details, see RHSSO lifecycle dates. As an alternative, migrate to Red Hat Build of Keycloak v24.

Additional resources

Chapter 4. Technology Preview

This section lists Technology Preview features in Red Hat Developer Hub 1.4.

Important

Technology Preview features provide early access to upcoming product innovations, enabling you to test functionality and provide feedback during the development process. However, these features are not fully supported under Red Hat Subscription Level Agreements, may not be functionally complete, and are not intended for production use. As Red Hat considers making future iterations of Technology Preview features generally available, we will attempt to resolve any issues that customers experience when using these features. See: Technology Preview support scope.

4.1. Added notification backend plugins

With this update, Developer Hub includes the following dynamic plugins to manage and streamline notification delivery:

These plugins are disabled by default.

Chapter 5. Fixed issues

This section lists issues fixed in Red Hat Developer Hub 1.4.

5.1. Fixed issues in 1.4

5.1.1. GitHub issues plugin supports multiple GitHub integration hosts

Previously, the GitHub issues plugin defaulted to using the first GitHub integration it detected for all components. This behavior made it incompatible with setups involving multiple GitHub integration hosts.

Now, GitHub issues plugin supports multiple GitHub integration hosts. It uses the well-known entity slug annotation backstage.io/source-location or backstage.io/managed-by-location to determine the appropriate GitHub integration for a component. If no integration matches the slug, the first GitHub integration is selected, maintaining the previous behavior.

Additional resources

5.1.2. All API documentation is defined in the 3scale backend plugin

Previously, some API documentation defined in the 3scale backend plugin was not accessible in RHDH.

With this update, all API documentation defined in the 3scale backend plugin is imported and merged in the RHDH.

Additional resources

5.1.3. RHDH helm chart deployment throws NotAllowedError

Previously, when deploying with the Helm Chart, there could be a mismatch between the Route hostname and the baseUrl fields added to the generated app-config ConfigMap. This could sometimes cause failure to authenticate against some providers due to an origin mismatch.

This update fixes this issue by ensuring no mismatch between those values.

Additional resources

5.1.4. Disable the creation of permission policies and roles when disabling the RBAC backend plugin

Previously, disabling the Role-Based Access Control (RBAC) backend plugin created roles and permission policies, whether the permission framework was enabled or not.

With this update, disabling the RBAC backend plugin no longer creates roles and permission policies.

Additional resources

5.1.5. Added alert on the deletion icon during bulk imports

Before this update, repositories were added to the Developer Hub from various sources, such as app-config files or GitHub discovery. The Bulk Import plugin only tracked repositories accessible using the configured GitHub integrations. When both plugins were enabled, repositories discovered by GitHub Discovery appeared on Bulk Import pages. However, deleting these repositories from Bulk Import Jobs had no effect, as entities from discovery or app-config.yaml file remained in the Developer Hub catalog.

With this update, an alert on the deletion icon notifies the user to modify the source (either the catalog-info within the repository or the app-config.yaml file if the file originates from there) to remove the catalog entity.

Additional resources

5.1.6. Removed the pre-configured custom resources from the Kubernetes configuration

Before this update, the custom resources in Kubernetes configuration were pre-configured. As a result, users could see Tekton warnings without configuring the custom resources in Kubernetes.

This update removes the pre-configured custom resources from the Kubernetes configuration. Therefore, users can customize resources to the Kubernetes configuration based on their requirements, preventing unrelated warnings from appearing.

Additional resources

5.1.7. RBAC Plugin is broken with latest Backstage version (1.31)

Before this update, Role-Based Access Control (RBAC) backend plugin broke in Backstage 1.31 with an error.

This update resolves compatibility issues with RBAC backend plugin on Backstage versions 1.31 and 1.32 without displaying any errors.

Additional resources

5.1.8. The backstage instance always failed to start in version 5.1.0

Before this update, the backstage instance failed to start in version 5.1.0, showing an error.

With this update, the Role-Based Access Control (RBAC) Backend plugin now starts successfully in version 5.1.0 without displaying any errors.

Additional resources

5.1.9. Resolved RBAC API inconsistency when scaling deployments to more than one pod

Before this update, scaling the deployment to more than one pod caused Role-Based Access Control (RBAC) roles to remain unsynced, allowing only the pod that created the resource to serve it.

With this update, RBAC roles are now properly synced across all pods, with Redis cache and traffic routing configured to ensure consistency across the deployment.

Additional resources

5.1.10. export-dynamic-plugin fails to find dependencies nested deeper than one level in node_modules

Previously, the CLI examined the dependencies of embedded packages during the export process to know if other packages should be embedded. One of the methods was calling {{require}} when the CLI encountered a built embedded package, which was the case when wrapping an existing plugin.

This update changes the parent directory that the {{require}} uses from the monorepo root to the embedded package. Therefore, the dependent package found is the dependency that is most relevant to the embedded package.

Additional resources

5.1.11. suppress-native-package and allow-native-package flags to handle native modules

Previously, the CLI failed with a message that native modules are not supported.

This update introduces two new CLI flags that help dynamic plugin developers handle native modules. Both flags accept a list of packages. The --suppress-native-package flag does not require the native module at runtime. It replaces the native module with an empty package that displays an error. The --allow-native-package flag instructs the CLI to allow the native package during checks, and tests a plugin that uses a native module.

Additional resources

5.1.12. Resolved the issue with text selection when reporting a TechDoc issue

Previously, the feature to report a documentation (TechDoc) issue failed. Therefore, when a user selected a text in a TechDoc, a large icon appeared instead of a tooltip button.

With this update, users can select texts when reporting a documentation (TechDoc) issue.

Additional resources

5.1.13. Resolved the stdout maxBuffer error

Previously, the export-dynamic-plugin failed with an error that the stdout maxBuffer length was exceeded.

With this update, the CLI redirects the output of the {{yarn install}} command it performs during the export process to a file. Therefore, a successful completion of the {{yarn install}} command and verification of the export-dynamic-plugin, cleans up the file. The file is available for troubleshooting when the dynamic plugin validation checks fail.

Additional resources

5.1.14. Added an --ignore-version-check flag

Previously, exporting a plugin that has not been updated to a newer backstage version failed due to a semver check performed on dependencies of the dynamic plugin package.

With this update, an --ignore-version-check flag accepts a list of package names causing the CLI to selectively ignore the semver check the CLI performs when evaluating the plugin package dependencies. Therefore, a plugin that has not been updated works because it relies on unchanged interfaces and functions.

Additional resources

5.1.15. Updated the Tech Radar plugin

With this update, you are now required to enable both ./dynamic-plugins/dist/backstage-community-tech-radar and ./dynamic-plugins/dist/backstage-community-tech-radar-backend-dynamic to use the Tech Radar plugin. You must configure additional settings depending on where you choose to load the JSON data for the plugin.

Additional resources

Chapter 6. Fixed security issues

This section lists security issues fixed in Red Hat Developer Hub 1.4.

6.1. Red Hat Developer Hub 1.4.0

6.1.1. Red Hat Developer Hub dependency updates

CVE-2024-24790
A flaw was found in the Go language standard library net/netip. The method Is*() (IsPrivate(), IsPublic(), etc) doesn’t behave properly when working with IPv6 mapped to IPv4 addresses. The unexpected behavior can lead to integrity and confidentiality issues, specifically when these methods are used to control access to resources or data.
CVE-2024-24791
A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.
CVE-2024-35255
A flaw was found in the Azure identity library at github.com/Azure/azure-sdk-for-go/sdk/azidentity. This issue allows an elevation of privileges.
CVE-2024-37891
A flaw was found in urllib3, an HTTP client library for Python. In certain configurations, urllib3 does not treat the Proxy-Authorization HTTP header as one carrying authentication material. This issue results in not stripping the header on cross-origin redirects.
CVE-2024-39008
A flaw was found in the fast-loops Node.js package. This flaw allows an attacker to alter the behavior of all objects inheriting from the affected prototype by passing arguments to the objectMergeDeep function crafted with the built-in property: proto. This issue can potentially lead to a denial of service, remote code execution, or Cross-site scripting.
CVE-2024-39249
A flaw was found in the async Node.js package. A Regular expression Denial of Service (ReDoS) attack can potentially be triggered via the autoinject function while parsing specially crafted input.

6.1.2. RHEL 9 platform RPM updates

CVE-2023-52439
A flaw was found in the Linux kernel’s uio subsystem. A use-after-free memory flaw in the uio_open functionality allows a local user to crash or escalate their privileges on the system.
CVE-2023-52884
In the Linux kernel, the following vulnerability has been resolved: Input: cyapa - add missing input core locking to suspend/resume functions
CVE-2024-26739
A use-after-free flaw was found in net/sched/act_mirred.c in the Linux kernel. This may result in a crash.
CVE-2024-26929
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix double free of fcport
CVE-2024-26930
A vulnerability was found in the Linux kernel. A potential double-free in the pointer ha→vp_map exists in the Linux kernel in drivers/scsi/qla2xxx/qla_os.c.
CVE-2024-26931
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix command flush on cable pull
CVE-2024-26947
A flaw was found in the Linux kernel’s ARM memory management functionality, where certain memory layouts cause a kernel panic. This flaw allows an attacker who can specify or alter memory layouts to cause a denial of service.
CVE-2024-26991
A flaw was found in the Linux Kernel. A lpage_info overflow can occur when checking attributes. This may lead to a crash.
CVE-2024-27022
In the Linux kernel, the following vulnerability has been resolved: fork: defer linking file vma until vma is fully initialized
CVE-2024-35895
In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Prevent lock inversion deadlock in map delete elem
CVE-2024-36016
In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
CVE-2024-36899
In the Linux kernel, the following vulnerability has been resolved: gpiolib: cdev: Fix use after free in lineinfo_changed_notify
CVE-2024-38562
In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: Avoid address calculations via out of bounds array indexing
CVE-2024-38570
In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount
CVE-2024-38573
A NULL pointer dereference flaw was found in cppc_cpufreq_get_rate() in the Linux kernel. This issue may result in a crash.
CVE-2024-38601
In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix a race between readers and resize checks
CVE-2024-38615
In the Linux kernel, the following vulnerability has been resolved: cpufreq: exit() callback is optional
CVE-2024-39331
A flaw was found in Emacs. Arbitrary shell commands can be executed without prompting when an Org mode file is opened or when the Org mode is enabled, when Emacs is used as an email client, this issue can be triggered when previewing email attachments.
CVE-2024-40984
In the Linux kernel, the following vulnerability has been resolved: ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine."
CVE-2024-41071
An out-of-bounds buffer overflow has been found in the Linux kernel’s mac80211 subsystem when scanning for SSIDs. Address calculation using out-of-bounds array indexing could result in an attacker crafting an exploit, resulting in the complete compromise of a system.
CVE-2024-42225
A potential flaw was found in the Linux kernel’s MediaTek WiFi, where it was reusing uninitialized data. This flaw allows a local user to gain unauthorized access to some data potentially.
CVE-2024-42246
In the Linux kernel, the following vulnerability has been resolved: net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket
CVE-2024-45490
A flaw was found in libexpat’s xmlparse.c component. This vulnerability allows an attacker to cause improper handling of XML data by providing a negative length value to the XML_ParseBuffer function.
CVE-2024-45491
An issue was found in libexpat’s internal dtdCopy function in xmlparse.c, It can have an integer overflow for nDefaultAtts on 32-bit platforms where UINT_MAX equals SIZE_MAX.
CVE-2024-45492
A flaw was found in libexpat’s internal nextScaffoldPart function in xmlparse.c. It can have an integer overflow for m_groupSize on 32-bit platforms where UINT_MAX equals SIZE_MAX.
CVE-2024-6119
A flaw was found in OpenSSL. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process.

Chapter 7. Known issues

This section lists known issues in Red Hat Developer Hub 1.4.

7.1. Topology plugin permission is not displayed in the RBAC front-end UI

Permissions associated only with front-end plugins do not appear in the UI because they require a backend plugin to expose the permission framework's well-known endpoint. As a workaround, you can apply these permissions by using a CSV file or directly calling the REST API of the RBAC backend plugin. Affected plugins include Topology (topology.view.read), Tekton (tekton.view.read), ArgoCD (argocd.view.read), and Quay (quay.view.read).

Additional resources

7.2. Unable to run two RHDH replicas on different nodes due to Multi-Attach errors on dynamic plugins root PVC

Currently, when deploying Developer Hub using the Helm Chart, two replicas cannot run on different cluster nodes. This might also affect the upgrade from 1.3 to 1.4.0 if the new pod is scheduled on a different node.

A possible workaround for the upgrade is to manually scale down the number of replicas to 0 before upgrading your Helm release. Or manually remove the old Developer Hub pod after upgrading the Helm release. However, this would imply some application downtime. You can also leverage a Pod Affinity rule to force the cluster scheduler to run your Developer Hub pods on the same node.

Additional resources

Legal Notice

Copyright © 2024 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.