Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 2. Install plugins from OCI registries by using custom certificates

In RHDH, you can install OCI plugins stored in an internal OCI artifact registry served over HTTPS with customer CA certificates, for example:

Example configuration in dynamic-plugins.yaml file

includes:
- dynamic-plugins.default.yaml

plugins:
- disabled: false
  package: oci://reg.example.com:5000/myplugin:v0.0.1!backstage-plugin-myplugin
Copy to Clipboard Toggle word wrap

Prerequisites

  • You have a corporate CA bundle or a set of custom container-registry TLS certificates that the system should trust.

    Note

    You can create a CA bundle from a set of CA certificates manually, by concatenating them into a single file, as follows: 

    # Concatenate CA certificates
cat registry.crt intermediate.crt corporate-root.crt > ca-bundle.crt

# Validate
openssl verify -CAfile ca-bundle.crt registry.crt
    Copy to Clipboard Toggle word wrap

Procedure

  1. Create a ConfigMap from the CA certificate in the namespace where you are deploying your RHDH instance: 

    oc create configmap registry-ca-crt --from-file=ca.crt
    Copy to Clipboard Toggle word wrap

  2. Mount the CA certificate ConfigMap into your RHDH configuration:

    1. For a Helm chart installation, update your Helm chart configuration file, as follows: 

      upstream:
  backstage:
    extraVolumes:
      # IMPORTANT: Due to a Helm limitation with arrays, you must also
      # include all the volumes defined in the default Helm Chart
      # before adding the new one
      # ...
      - name: registry-ca-crt
        configMap:
          name: registry-ca-crt

    initContainers:
      - name: install-dynamic-plugins
        # IMPORTANT: Due to a Helm limitation with arrays, you must also
        # include all the other fields defined in the default Helm Chart
        # ...

        volumeMounts:
          # IMPORTANT: Due to a Helm limitation with arrays, you must also
          # include all the volume mounts defined in the default Helm Chart
          # before adding the new one
          # ...
          - name: registry-ca-crt
            # Hostname and port must match your target registry
            mountPath: '/etc/containers/certs.d/reg.example.com:5000'
      Copy to Clipboard Toggle word wrap

    2. For Operator-based installations, update your Backstage Custom Resource (CR), as follows: 

      spec:
  application:
    extraFiles:
      configMaps:
        - name: registry-ca-crt
          # Hostname and port must match your target registry
          mountPath: '/etc/containers/certs.d/reg.example.com:5000'
          containers:
            - install-dynamic-plugins
      Copy to Clipboard Toggle word wrap

Procedure

  1. Create a ConfigMap from the CA bundle in the namespace where you are deploying your RHDH instance: 

    oc create configmap registry-ca-bundle --from-file=ca-bundle.crt
    Copy to Clipboard Toggle word wrap

  2. Mount the CA bundle ConfigMap into your RHDH configuration

    1. For a Helm chart installation, update your Helm chart configuration file, as follows: 

      upstream:
  backstage:
    extraVolumes:
      # IMPORTANT: Due to a Helm limitation with arrays, you must also
      # include all the volumes defined in the default Helm Chart
      # before adding the new one
      # ...
      - name: registry-ca-bundle
        configMap:
          name: registry-ca-bundle

    initContainers:
      - name: install-dynamic-plugins
        # IMPORTANT: Due to a Helm limitation with arrays, you must also
        # include all the other fields defined in the default Helm Chart
        # ...

        volumeMounts:
          # IMPORTANT: Due to a Helm limitation with arrays, you must also
          # include all the volume mounts defined in the default Helm Chart
          # before adding the new one
          # ...
          - name: registry-ca-bundle
            mountPath: /etc/pki/tls/certs/
      Copy to Clipboard Toggle word wrap

    2. For Operator-based installations, update your Backstage Custom Resource (CR), as follows: 

      spec:
  application:
    extraFiles:
      configMaps:
        - name: registry-ca-bundle
          mountPath: /etc/pki/tls/certs/
          containers:
            # Note: Set to "*" instead if you want to mount it in all containers
            - install-dynamic-plugins
      Copy to Clipboard Toggle word wrap

Prerequisites

  • Your cluster administrator must add the trusted corporate CA bundle to the cluster-wide configuration. For more information, see Security and compliance in the OpenShift Container Platform documentation.

Procedure

  1. Create an empty ConfigMap in the namespace where you are deploying your RHDH instance. You must add the config.openshift.io/inject-trusted-cabundle label to your ConfigMap, as follows: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: trusted-ca
  labels:
    config.openshift.io/inject-trusted-cabundle: "true"
    Copy to Clipboard Toggle word wrap

  2. Wait for the trusted CA bundle to be injected into the ConfigMap. You can verify with the following command: 

    oc get cm trusted-ca
    Copy to Clipboard Toggle word wrap

    You should see a block of certificates under the ca-bundle.crt key.

  3. Mount the ConfigMap into the /etc/pki/ca-trust/extracted/pem path of the RHDH init container.

    1. For a Helm chart installation, update your Helm chart configuration file, as follows: 

      upstream:
  backstage:
    extraVolumes:
      # IMPORTANT: Due to a Helm limitation with arrays, you must also
      # include all the volumes defined in the default Helm Chart
      # before adding the new one
      # ...
      - name: trusted-ca
        configMap:
          name: trusted-ca

    initContainers:
      - name: install-dynamic-plugins
        # IMPORTANT: Due to a Helm limitation with arrays, you must also
        # include all the other fields defined in the default Helm Chart
        # ...

        volumeMounts:
          # IMPORTANT: Due to a Helm limitation with arrays, you must also
          # include all the volume mounts defined in the default Helm Chart
          # before adding the new one
          # ...
          - name: trusted-ca
            mountPath: /etc/pki/ca-trust/extracted/pem
      Copy to Clipboard Toggle word wrap

    2. For Operator-based installations, update your Backstage Custom Resource (CR), as follows: 

      spec:
  application:
    extraFiles:
      configMaps:
        - name: trusted-ca
          mountPath: /etc/pki/ca-trust/extracted/pem
          containers:
            # Note: Set to "*" instead if you want to mount it in all containers
            - install-dynamic-plugins
      Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top