Red Hat Summit Red Hat Summitサポートコンソール開発者トライアルの開始お問い合わせ

Chapter 2. Install plugins from OCI registries by using custom certificates

In RHDH, you can install OCI plugins stored in an internal OCI artifact registry served over HTTPS with customer CA certificates, for example:

Example configuration in dynamic-plugins.yaml file

includes:
- dynamic-plugins.default.yaml

plugins:
- disabled: false
  package: oci://reg.example.com:5000/myplugin:v0.0.1!backstage-plugin-myplugin
Copy to Clipboard Toggle word wrap

Prerequisites

  • You have a corporate CA bundle or a set of custom container-registry TLS certificates that the system should trust.

    Note

    You can create a CA bundle from a set of CA certificates manually, by concatenating them into a single file, as follows: 

    # Concatenate CA certificates
cat registry.crt intermediate.crt corporate-root.crt > ca-bundle.crt

# Validate
openssl verify -CAfile ca-bundle.crt registry.crt
    Copy to Clipboard Toggle word wrap

2.1. Installing plugins from OCI plugins by using per-registry TLS configuration
リンクのコピー

Procedure

  1. Create a ConfigMap from the CA certificate in the namespace where you are deploying your RHDH instance: 

    oc create configmap registry-ca-crt --from-file=ca.crt
    Copy to Clipboard Toggle word wrap

  2. Mount the CA certificate ConfigMap into your RHDH configuration:

    1. For a Helm chart installation, update your Helm chart configuration file, as follows: 

      upstream:
  backstage:
    extraVolumes:
      # IMPORTANT: Due to a Helm limitation with arrays, you must also
      # include all the volumes defined in the default Helm Chart
      # before adding the new one
      # ...
      - name: registry-ca-crt
        configMap:
          name: registry-ca-crt

    initContainers:
      - name: install-dynamic-plugins
        # IMPORTANT: Due to a Helm limitation with arrays, you must also
        # include all the other fields defined in the default Helm Chart
        # ...

        volumeMounts:
          # IMPORTANT: Due to a Helm limitation with arrays, you must also
          # include all the volume mounts defined in the default Helm Chart
          # before adding the new one
          # ...
          - name: registry-ca-crt
            # Hostname and port must match your target registry
            mountPath: '/etc/containers/certs.d/reg.example.com:5000'
      Copy to Clipboard Toggle word wrap

    2. For Operator-based installations, update your Backstage Custom Resource (CR), as follows: 

      spec:
  application:
    extraFiles:
      configMaps:
        - name: registry-ca-crt
          # Hostname and port must match your target registry
          mountPath: '/etc/containers/certs.d/reg.example.com:5000'
          containers:
            - install-dynamic-plugins
      Copy to Clipboard Toggle word wrap

2.2. Installing plugins from OCI plugins by mounting the CA bundle
リンクのコピー

Procedure

  1. Create a ConfigMap from the CA bundle in the namespace where you are deploying your RHDH instance: 

    oc create configmap registry-ca-bundle --from-file=ca-bundle.crt
    Copy to Clipboard Toggle word wrap

  2. Mount the CA bundle ConfigMap into your RHDH configuration

    1. For a Helm chart installation, update your Helm chart configuration file, as follows: 

      upstream:
  backstage:
    extraVolumes:
      # IMPORTANT: Due to a Helm limitation with arrays, you must also
      # include all the volumes defined in the default Helm Chart
      # before adding the new one
      # ...
      - name: registry-ca-bundle
        configMap:
          name: registry-ca-bundle

    initContainers:
      - name: install-dynamic-plugins
        # IMPORTANT: Due to a Helm limitation with arrays, you must also
        # include all the other fields defined in the default Helm Chart
        # ...

        volumeMounts:
          # IMPORTANT: Due to a Helm limitation with arrays, you must also
          # include all the volume mounts defined in the default Helm Chart
          # before adding the new one
          # ...
          - name: registry-ca-bundle
            mountPath: /etc/pki/tls/certs/
      Copy to Clipboard Toggle word wrap

    2. For Operator-based installations, update your Backstage Custom Resource (CR), as follows: 

      spec:
  application:
    extraFiles:
      configMaps:
        - name: registry-ca-bundle
          mountPath: /etc/pki/tls/certs/
          containers:
            # Note: Set to "*" instead if you want to mount it in all containers
            - install-dynamic-plugins
      Copy to Clipboard Toggle word wrap

2.3. Installing plugins from OCI plugins in OpenShift
リンクのコピー

Prerequisites

  • Your cluster administrator must add the trusted corporate CA bundle to the cluster-wide configuration. For more information, see Security and compliance in the OpenShift Container Platform documentation.

Procedure

  1. Create an empty ConfigMap in the namespace where you are deploying your RHDH instance. You must add the config.openshift.io/inject-trusted-cabundle label to your ConfigMap, as follows: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: trusted-ca
  labels:
    config.openshift.io/inject-trusted-cabundle: "true"
    Copy to Clipboard Toggle word wrap

  2. Wait for the trusted CA bundle to be injected into the ConfigMap. You can verify with the following command: 

    oc get cm trusted-ca
    Copy to Clipboard Toggle word wrap

    You should see a block of certificates under the ca-bundle.crt key.

  3. Mount the ConfigMap into the /etc/pki/ca-trust/extracted/pem path of the RHDH init container.

    1. For a Helm chart installation, update your Helm chart configuration file, as follows: 

      upstream:
  backstage:
    extraVolumes:
      # IMPORTANT: Due to a Helm limitation with arrays, you must also
      # include all the volumes defined in the default Helm Chart
      # before adding the new one
      # ...
      - name: trusted-ca
        configMap:
          name: trusted-ca

    initContainers:
      - name: install-dynamic-plugins
        # IMPORTANT: Due to a Helm limitation with arrays, you must also
        # include all the other fields defined in the default Helm Chart
        # ...

        volumeMounts:
          # IMPORTANT: Due to a Helm limitation with arrays, you must also
          # include all the volume mounts defined in the default Helm Chart
          # before adding the new one
          # ...
          - name: trusted-ca
            mountPath: /etc/pki/ca-trust/extracted/pem
      Copy to Clipboard Toggle word wrap

    2. For Operator-based installations, update your Backstage Custom Resource (CR), as follows: 

      spec:
  application:
    extraFiles:
      configMaps:
        - name: trusted-ca
          mountPath: /etc/pki/ca-trust/extracted/pem
          containers:
            # Note: Set to "*" instead if you want to mount it in all containers
            - install-dynamic-plugins
      Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

Red Hat をお使いのお客様が、信頼できるコンテンツが含まれている製品やサービスを活用することで、イノベーションを行い、目標を達成できるようにします。 最新の更新を見る.

多様性を受け入れるオープンソースの強化

Red Hat では、コード、ドキュメント、Web プロパティーにおける配慮に欠ける用語の置き換えに取り組んでいます。このような変更は、段階的に実施される予定です。詳細情報: Red Hat ブログ.

会社概要

Red Hat は、企業がコアとなるデータセンターからネットワークエッジに至るまで、各種プラットフォームや環境全体で作業を簡素化できるように、強化されたソリューションを提供しています。

Theme

© 2026 Red Hatトップに戻る