Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 1. Provisioning and using your custom Red Hat Developer Hub configuration

To configure Red Hat Developer Hub, use these methods, which are widely used to configure a Red Hat OpenShift Container Platform application:

  • Use config maps to mount files and directories.
  • Use secrets to inject environment variables.

Learn to apply these methods to Developer Hub:

  1. Provision your custom config maps and secrets to OpenShift Container Platform.

  2. Use your selected deployment method to mount the config maps and inject the secrets:

To configure Red Hat Developer Hub, provision your custom Red Hat Developer Hub config maps and secrets to Red Hat OpenShift Container Platform (RHOCP) before running Red Hat Developer Hub.

Tip

On Red Hat OpenShift Container Platform, you can skip this step to run Developer Hub with the default config map and secret. Your changes on this configuration might get reverted on Developer Hub restart.

Prerequisites

  • By using the OpenShift CLI (oc), you have access, with developer permissions, to the OpenShift cluster aimed at containing your Developer Hub instance.

Procedure

  1. For security, store your secrets as environment variables values in an OpenShift Container Platform secret, rather than in clear text in your configuration files. Collect all your secrets in the secrets.txt file, with one secret per line in KEY=value form.

  2. Author your custom app-config.yaml file. This is the main Developer Hub configuration file. You need a custom app-config.yaml file to avoid the Developer Hub installer to revert user edits during upgrades. When your custom app-config.yaml file is empty, Developer Hub is using default values.

    • To prepare a deployment with the Red Hat Developer Hub Operator on OpenShift Container Platform, you can start with an empty file.

    • To prepare a deployment with the Red Hat Developer Hub Helm chart, or on Kubernetes, enter the Developer Hub base URL in the relevant fields in your app-config.yaml file to ensure proper functionality of Developer Hub. The base URL is what a Developer Hub user sees in their browser when accessing Developer Hub. The relevant fields are baseUrl in the app and backend sections, and origin in the backend.cors subsection:

      Example 1.1. Configuring the baseUrl in app-config.yaml

      app:
  title: Red Hat Developer Hub
  baseUrl: https://<my_developer_hub_domain>

backend:
  auth:
    externalAccess:
      - type: legacy
        options:
          subject: legacy-default-config
          secret: "${BACKEND_SECRET}"
  baseUrl: https://<my_developer_hub_domain>
  cors:
    origin: https://<my_developer_hub_domain>
      Copy to Clipboard Toggle word wrap

    • Optionally, enter your configuration such as:

  3. Author your custom dynamic-plugins.yaml file to enable plugins. By default, Developer Hub enables a minimal plugin set, and disables plugins that require configuration or secrets, such as the GitHub repository discovery plugin and the Role-based access control (RBAC) plugin.

    Enable the GitHub repository discovery and the RBAC features:

    dynamic.plugins.yaml

    includes:
  - dynamic-plugins.default.yaml
plugins:
  - package: ./dynamic-plugins/dist/backstage-plugin-catalog-backend-module-github
    disabled: false
  - package: ./dynamic-plugins/dist/backstage-community-plugin-rbac
    disabled: false
    Copy to Clipboard Toggle word wrap

  4. Provision your custom configuration files to your OpenShift Container Platform cluster.

    1. Create the <my-rhdh-project> {namespace} aimed at containing your Developer Hub instance. 

      $ oc create namespace my-rhdh-project
      Copy to Clipboard Toggle word wrap

    2. Provision your app-config.yaml and dynamic-plugins.yaml files respectively to the my-rhdh-app-config, and dynamic-plugins-rhdh config maps in the <my-rhdh-project> project. 

      $ oc create configmap my-rhdh-app-config --from-file=app-config.yaml --namespace=my-rhdh-project
$ oc create configmap dynamic-plugins-rhdh --from-file=dynamic-plugins.yaml --namespace=my-rhdh-project
      Copy to Clipboard Toggle word wrap

      Alternatively, create the config maps by using the web console.

    3. Provision your secrets.txt file to the my-rhdh-secrets secret in the <my-rhdh-project> project. 

      $ oc create secret generic my-rhdh-secrets --from-file=secrets.txt --namespace=my-rhdh-project
      Copy to Clipboard Toggle word wrap

      Alternatively, create the secret by using the web console.

Next steps

To use the Developer Hub Operator to run Red Hat Developer Hub with your custom configuration, create your Backstage custom resource (CR) that:

  • Mounts files provisioned in your custom config maps.
  • Injects environment variables provisioned in your custom secrets.

Prerequisites

  • By using the OpenShift CLI (oc), you have access, with developer permissions, to the OpenShift Container Platform cluster aimed at containing your Developer Hub instance.
  • Your administrator has installed the Red Hat Developer Hub Operator in the cluster.
  • You have provisioned your custom config maps and secrets in your <my-rhdh-project> project.

Procedure

  1. Author your Backstage CR in a my-rhdh-custom-resource.yaml file to use your custom config maps and secrets.

    Minimal my-rhdh-custom-resource.yaml custom resource example: 

    apiVersion: rhdh.redhat.com/v1alpha3
kind: Backstage
metadata:
  name: my-rhdh-custom-resource
spec:
  application:
    appConfig:
      mountPath: /opt/app-root/src
      configMaps:
         - name: my-rhdh-app-config
    extraEnvs:
      secrets:
         - name: <my_product_secrets>
    extraFiles:
      mountPath: /opt/app-root/src
    route:
      enabled: true
  database:
    enableLocalDb: true
    Copy to Clipboard Toggle word wrap

    my-rhdh-custom-resource.yaml custom resource example with dynamic plugins and RBAC policies config maps, and external PostgreSQL database secrets: 

    apiVersion: rhdh.redhat.com/v1alpha3
kind: Backstage
metadata:
  name: <my-rhdh-custom-resource>
spec:
  application:
    appConfig:
      mountPath: /opt/app-root/src
      configMaps:
         - name: my-rhdh-app-config
         - name: rbac-policies
    dynamicPluginsConfigMapName: dynamic-plugins-rhdh
    extraEnvs:
      secrets:
         - name: <my_product_secrets>
         - name: my-rhdh-database-secrets
    extraFiles:
      mountPath: /opt/app-root/src
      secrets:
        - name: my-rhdh-database-certificates-secrets
          key: postgres-crt.pem, postgres-ca.pem, postgres-key.key
    route:
      enabled: true
  database:
    enableLocalDb: false
    Copy to Clipboard Toggle word wrap
    Mandatory fields
    No fields are mandatory. You can create an empty Backstage CR and run Developer Hub with the default configuration.
    Optional fields
    spec.application.appConfig.configMaps
    Enter your config map name list.

    Mount files in the my-rhdh-app-config config map: 

    spec:
  application:
    appConfig:
      mountPath: /opt/app-root/src
      configMaps:
         - name: my-rhdh-app-config
    Copy to Clipboard Toggle word wrap

    Mount files in the my-rhdh-app-config and rbac-policies config maps: 

    spec:
  application:
    appConfig:
      mountPath: /opt/app-root/src
      configMaps:
         - name: my-rhdh-app-config
         - name: rbac-policies
    Copy to Clipboard Toggle word wrap
    spec.application.extraEnvs.envs

    Optionally, enter your additional environment variables that are not secrets, such as your proxy environment variables.

    Inject your HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables: 

    spec:
  application:
    extraEnvs:
      envs:
        - name: HTTP_PROXY
          value: 'http://10.10.10.105:3128'
        - name: HTTPS_PROXY
          value: 'http://10.10.10.106:3128'
        - name: NO_PROXY
          value: 'localhost,example.org'
    Copy to Clipboard Toggle word wrap
    spec.application.extraEnvs.secrets

    Enter your environment variables secret name list.

    Inject the environment variables in your Red Hat Developer Hub secret: 

    spec:
  application:
    extraEnvs:
      secrets:
         - name: <my_product_secrets>
    Copy to Clipboard Toggle word wrap

    Inject the environment variables in the Red Hat Developer Hub and my-rhdh-database-secrets secrets: 

    spec:
  application:
    extraEnvs:
      secrets:
         - name: <my_product_secrets>
         - name: my-rhdh-database-secrets
    Copy to Clipboard Toggle word wrap
    Note

    <my_product_secrets> is your preferred Developer Hub secret name, specifying the identifier for your secret configuration within Developer Hub.

    spec.application.extraFiles.secrets

    Enter your certificates files secret name and files list.

    Mount the postgres-crt.pem, postgres-ca.pem, and postgres-key.key files contained in the my-rhdh-database-certificates-secrets secret: 

    spec:
  application:
    extraFiles:
      mountPath: /opt/app-root/src
      secrets:
        - name: my-rhdh-database-certificates-secrets
          key: postgres-crt.pem, postgres-ca.pem, postgres-key.key
    Copy to Clipboard Toggle word wrap
    spec.database.enableLocalDb

    Enable or disable the local PostgreSQL database.

    Disable the local PostgreSQL database generation to use an external postgreSQL database: 

    spec:
  database:
    enableLocalDb: false
    Copy to Clipboard Toggle word wrap

    On a development environment, use the local PostgreSQL database: 

    spec:
  database:
    enableLocalDb: true
    Copy to Clipboard Toggle word wrap
    spec.deployment
    Optionally, enter your deployment configuration.

  2. Apply your Backstage CR to start or update your Developer Hub instance: 

    $ oc apply --filename=my-rhdh-custom-resource.yaml --namespace=my-rhdh-project
    Copy to Clipboard Toggle word wrap

The mountPath field specifies the location where a ConfigMap or Secret is mounted. The behavior of the mount, whether it includes or excludes a subPath, depends on the specification of the key or mountPath fields.

  • If key and mountPath are not specified: Each key or value is mounted as a filename or content with a subPath.
  • If key is specified with or without mountPath: The specified key or value is mounted with a subPath.
  • If only mountPath is specified: A directory containing all the keys or values is mounted without a subPath.
  • If the containers field is not specified: The volume mounts only to the backstage-backend container. By default, files mount only to the backstage-backend container. You can also specify other targets, including a list of containers by name (such as dynamic-plugin-install or selectcustom sidecars) or select all containers in the Backstage Pod.
Note
  • OpenShift Container Platform does not automatically update a volume mounted with subPath. By default, the RHDH Operator monitors these ConfigMaps or Secrets and refreshes the RHDH Pod when changes occur.
  • For security purposes, Red Hat Developer Hub does not give the Operator Service Account read access to Secrets. As a result, mounting files from Secrets without specifying both mountPath and key is not supported.

Procedure

  1. Apply the configuration to your Backstage custom resource (CR). The following code block is an example: 

    spec:
  application:
    extraFiles:
      mountPath: _<default_mount_path>_
      configMaps:
        - name: _<configmap_name_all_entries>_
        - name: _<configmap_name_single_key>_
          key: _<specific_file_key>_
          containers:
            - "*"
        - name: _<configmap_name_custom_path>_
          mountPath: _<custom_cm_mount_path>_
          containers:
            - backstage-backend
            - install-dynamic-plugins
      secrets:
        - name: _<secret_name_single_key>_
          key: _<specific_secret_key>_
          containers:
            - install-dynamic-plugins
        - name: _<secret_name_custom_path>_
          mountPath: _<custom_secret_mount_path>_
      pvcs:
        - name: _<pvc_name_default_path>_
        - name: _<pvc_name_custom_path>_
          mountPath: _<custom_pvc_mount_path>_
    extraEnvs:
      configMaps:
        - name: _<configmap_name_env_var>_
          key: _<env_var_key>_
          containers:
            - "*"
      secrets:
        - name: _<secret_name_all_envs>_
      envs:
        - name: _<static_env_var_name>_
          value: "_<static_env_var_value>_"
          containers:
           - install-dynamic-plugins
    Copy to Clipboard Toggle word wrap

    where:

    spec.application.extraFiles.mountPath
    Specifies the default base mount path for files if no specific mountPath is set for a resource (for example, /<default_mount_path>).
    spec.application.extraFiles.configMaps.name
    Mounts all entries from <configmap_name_all_entries> to the default mount path.
    spec.application.extraFiles.configMaps.key
    Mounts **only the specified key (for example, <specific_file_key>.txt) from the ConfigMap.
    spec.application.extraFiles.configMaps.containers
    Targets all containers ("*") for mounting.
    spec.application.extraFiles.configMaps.mountPath
    Overrides the default and mounts all ConfigMap entries as a directory at the specified path (for example, /<custom_cm_mount_path>).
    spec.application.extraFiles.secrets.key
    Mounts only a specific key from the Secret.
    spec.application.extraFiles.secrets.mountPath
    Overrides the default and mounts all Secret entries as a directory at the specified path (for example, /<custom_secret_mount_path>).
    spec.application.extraFiles.pvcs.name
    Mounts the PVC to the default mount path, appending the PVC name (for example, /<default_mount_path>/<pvc_name_default_path>).
    spec.application.extraFiles.pvcs.mountPath
    Overrides the default and mounts the PVC to the specified path (for example, /<custom_pvc_mount_path>).
    spec.application.extraEnvs.configMaps.containers
    Injects the specified ConfigMap key as an environment variable into all containers ("*").
    spec.application.extraEnvs.secrets.name
    Injects all keys from the Secret as environment variables into the default container.
    spec.application.envs.containers
    Targets only the listed container for the static environment variable injection.
Note

The following explicit options are supported:

  • No or an empty field: Mounts only to the backstage-backend container.
  • * (asterisk) as the first and only array element: Mounts to all containers.
  • Explicit container names, for example, install-dynamic-plugins: Mounts only to the listed containers.

Verification

The files are mounted with the following correct paths and container targets:

Expand
ResourceTarget typePath(s) or name(s)Container(s)

ConfigMap (<configmap_name_all_entries>)

File

/<default_mount_path>/<file_1_key>, /<default_mount_path>/<file_2_key>

backstage-backend

ConfigMap (<configmap_name_single_key>)

File

/<default_mount_path>/<specific_file_key>.txt

All

ConfigMap (<configmap_name_custom_path>)

Directory

/<custom_cm_mount_path>/

backstage-backend, install-dynamic-plugins

Secret (<secret_name_single_key>)

File

/<default_mount_path>/<specific_secret_key>.txt

install-dynamic-plugins

Secret (<secret_name_custom_path>)

Directory

/<custom_secret_mount_path>/

backstage-backend

PVC (<pvc_name_default_path>)

Directory

/<default_mount_path>/<pvc_name_default_path>

backstage-backend

ConfigMap (<configmap_name_env_var>)

Env Var

<env_var_key>

All

Secret (<secret_name_all_envs>)

Env Var

<secret_key_a>, <secret_key_b>

backstage-backend

CRD (envs)

Env Var

<static_env_var_name> = <static_env_var_value>

install-dynamic-plugins

You can use the Red Hat Developer Hub Helm chart to add a custom application configuration file to your OpenShift Container Platform instance.

Prerequisites

Procedure

  1. Configure Helm to use your custom configuration files in Developer Hub.

    1. Go to the Helm tab to see the list of Helm releases.
    2. Click the overflow menu on the Helm release that you want to use and select Upgrade.
    3. Use the YAML view to edit the Helm configuration.

    4. Set the value of the upstream.backstage.extraAppConfig.configMapRef and upstream.backstage.extraAppConfig.filename parameters as follows:

      Helm configuration excerpt

      upstream:
  backstage:
    extraAppConfig:
      - configMapRef: my-rhdh-app-config
        filename: app-config.yaml
      Copy to Clipboard Toggle word wrap

    5. Click Upgrade.

Next steps

  • Install Developer Hub by using Helm.

!:previouscontext:

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat