chore: fix default app-config and example

[gazarenkov]

Description

• remove legacy externalAccess configuration from default app-config as it is not needed
• add guest provider to dev environment to default app-config to make it work with zero configuration w/o err messages
• fix examples/pvc-dp-cache.yaml

Which issue(s) does this PR fix or relate to

https://issues.redhat.com/browse/RHDHBUGS-2689

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign gazarenkov for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[github-actions]

⚠️ Files changed in bundle and installer generation!

Those changes to the operator bundle/installer manifests should have been pushed automatically to your PR branch.

NOTE: If the PR checks are stuck after this additional commit, manually close the PR and immediately reopen it to trigger the checks again.

[rhdh-qodo-merge]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🔒 Security concerns Insecure default authentication: The default app-config enables the guest provider and sets dangerouslyAllowOutsideDevelopment: true, which could allow unauthenticated access if this config is used in a non-development environment or if environment detection is misconfigured.

⚡ Recommended focus areas for review Broken Example The example still sets application.dynamicPluginsConfigMapName: dynamic-plugins but the ConfigMap named dynamic-plugins was removed from the manifest. Validate the example remains runnable as-is (either re-add the ConfigMap, provide an alternative reference, or remove the dynamicPluginsConfigMapName field from the example). apiVersion: rhdh.redhat.com/v1alpha5 kind: Backstage metadata: name: bs1 spec: deployment: kind: StatefulSet patch: spec: replicas: 2 template: spec: # uncomment the following nodeAffinity section to schedule pods on a specific node # and make sure to replace the value with the desired node name (ip-10-0-1-128.ec2.internal in this example) # to be able to test the ReadWriteOnce PVC on a multi node cluster # affinity: # nodeAffinity: # requiredDuringSchedulingIgnoredDuringExecution: # nodeSelectorTerms: # - matchExpressions: # - key: kubernetes.io/hostname # operator: In # values: # - ip-10-0-1-156.ec2.internal volumes: - $patch: replace name: dynamic-plugins-root persistentVolumeClaim: claimName: dynamic-plugins-root updateStrategy: type: RollingUpdate volumeClaimTemplates: - apiVersion: v1 kind: PersistentVolumeClaim metadata: name: dynamic-plugins-root spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi application: dynamicPluginsConfigMapName: dynamic-plugins Security Posture The default config enables the guest auth provider and sets dangerouslyAllowOutsideDevelopment: true. Even with auth.environment: development, this can be risky if the generated default config is ever applied to non-dev environments. Confirm this is strictly limited to dev-only profiles and cannot leak into production defaults, and consider adding stronger guardrails or documentation around this default. auth: environment: development providers: guest: dangerouslyAllowOutsideDevelopment: true

📚 Focus areas based on broader codebase context Auth Config The default config now enables auth.providers.guest (with dangerouslyAllowOutsideDevelopment: true) but no longer includes any backend.auth.externalAccess configuration. Please validate that operator-managed deployments still have a working backend-to-backend auth mechanism for endpoints that rely on external access tokens, and that guest auth is only used for the intended dev-only use case. (Ref 5, Ref 6) auth: environment: development providers: guest: dangerouslyAllowOutsideDevelopment: true Reference reasoning: The reference configs enable the guest provider specifically for development scenarios while still configuring backend.auth.externalAccess (legacy/static token) alongside it. This suggests guest auth is meant to complement, not replace, backend external access, so removing external access from the default config could change expected authentication behavior.

📄 References redhat-developer/rhdh-operator/pkg/model/testdata/raw-app-config.yaml [1-19] redhat-developer/rhdh-operator/examples/pvc-dp-cache.yaml [60-83] redhat-developer/rhdh/app-config.example.yaml [1-42] redhat-developer/rhdh-operator/examples/raw-runtime-config.yaml [1-25] redhat-developer/rhdh-operator/examples/rhdh-cr-with-app-configs.yaml [17-36] redhat-developer/rhdh-operator/examples/orchestrator.yaml [18-37] redhat-developer/rhdh-operator/examples/rhdh-cr.yaml [5-30] redhat-developer/rhdh/scripts/rhdh-openshift-setup/values.yaml [253-270]

[rhdh-qodo-merge]

PR Type

(Describe updated until commit 17e0aba)

Enhancement, Other

---

Description

• Remove legacy externalAccess configuration from default app-config

• Add development environment setting to auth providers configuration

• Remove marketplace plugin entries from example PVC cache configuration

• Regenerate bundle and installer manifests with updated timestamps

• Fix import formatting in generated deepcopy files

---

File Walkthrough

	Relevant files
Formatting	3 files zz_generated.deepcopy.go Fix import formatting in generated code                                    +1/-1      zz_generated.deepcopy.go Fix import formatting in generated code                                    +1/-1      zz_generated.deepcopy.go Fix import formatting in generated code                                    +1/-1
Configuration changes	5 files backstage-operator.clusterserviceversion.yaml Update operator bundle manifest timestamp                                +1/-1      backstage-operator.clusterserviceversion.yaml Update RHDH operator bundle manifest timestamp                      +1/-1      rhdh-default-config_v1_configmap.yaml Simplify default app-config and remove legacy auth              +10/-28  app-config.yaml Remove legacy externalAccess and add development environment +3/-9      install.yaml Update installer manifest with simplified app-config          +10/-28
Miscellaneous	1 files pvc-dp-cache.yaml Remove marketplace plugin entries from example                      +0/-9

---

[rhdh-qodo-merge]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
General	add sample plugins ConfigMap Add a sample ConfigMap for dynamic-plugins to the pvc-dp-cache.yaml example file to make it self-contained and prevent it from failing due to a missing resource. examples/pvc-dp-cache.yaml [54-55] +# Sample dynamic plugins ConfigMap +apiVersion: v1 +kind: ConfigMap +metadata: + name: dynamic-plugins +data: + dynamic-plugins.yaml: | + plugins: [] +--- application: dynamicPluginsConfigMapName: dynamic-plugins [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 8 __ Why: The PR removes the ConfigMap definition from the example file, which makes the example non-functional. This suggestion correctly identifies this issue and proposes adding a minimal ConfigMap to ensure the example remains self-contained and works correctly.	Medium
Security	✅ disable guest provider by default Suggestion Impact: The commit removed the explicit insecure setting `dangerouslyAllowOutsideDevelopment: true` and replaced the guest provider configuration with an empty object (`guest: {}`), effectively no longer enabling the dangerous outside-development allowance by default (though it did not add the suggested comment or explicitly set the flag to false). code diff: - providers: - guest: - dangerouslyAllowOutsideDevelopment: true + providers: + guest: {} Set dangerouslyAllowOutsideDevelopment to false in the default guest provider configuration to improve security, and add a comment advising developers to enable it for local development only. config/profile/rhdh/default-config/app-config.yaml [18-22] auth: environment: development providers: + # guest provider disabled by default; enable only for local development guest: - dangerouslyAllowOutsideDevelopment: true + dangerouslyAllowOutsideDevelopment: false [Suggestion processed] Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies a security risk in the default configuration and proposes a safer default by setting dangerouslyAllowOutsideDevelopment to false, improving the security posture for users.	Medium
Update

[github-actions]

⚠️ Files changed in bundle and installer generation!

Those changes to the operator bundle/installer manifests should have been pushed automatically to your PR branch.

NOTE: If the PR checks are stuck after this additional commit, manually close the PR and immediately reopen it to trigger the checks again.

[github-actions]

PR images are available:

1. https://quay.io/rhdh-community/operator:0.10.0-pr-2307-77f8156
2. https://quay.io/rhdh-community/operator-bundle:0.10.0-pr-2307-77f8156
3. https://quay.io/rhdh-community/operator-catalog:0.10.0-pr-2307-77f8156

[rhdh-qodo-merge]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis 🔶 RHDHBUGS-2689 - Partially compliant Compliant requirements: The default, operator-managed configuration for a zero-config install should avoid triggering user-identity/auth requests that fail by default. Non-compliant requirements: Requires further human verification: When creating a Backstage instance using an "empty" CR (minimal Backstage resource), the UI must not show "Failed to load user identity ... 401 Unauthorized". Reproduction scenario should work across Kubernetes/OpenShift versions.

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🔒 Security concerns Default insecure auth posture: Setting auth.environment: development in the operator-provided default config (and any implied guest/anonymous access) can weaken authentication expectations if this default is used beyond local/dev scenarios. Confirm this change is constrained to development-only profiles or otherwise gated so production installs don't silently allow unauthenticated identity access.

⚡ Recommended focus areas for review YAML Formatting app-config.yaml is now embedded as a quoted string with escaped newlines and includes a comment-like line under metadata.name. This is easy to break and may produce invalid YAML or unexpected literal content in the generated ConfigMap; ensure the rendered ConfigMap data is exactly the intended multi-line YAML and that metadata.name is not polluted by inline/comment formatting. app-config.yaml: "apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: my-backstage-config-cm1 # placeholder for <bs>-default-appconfig\ndata:\n default.app-config.yaml: |\n \ ###########################################################################################################\n \ # /!\\ WARNING\n #\n # This is the default app-config file created and managed by the Operator for your CR.\n # Do NOT edit this manually in the Cluster, as your changes will be overridden by the Operator upon the\n # next reconciliation.\n \ # If you want to customize the application configuration, you should create your own app-config ConfigMap\n # and reference it in your CR.\n # See https://docs.redhat.com/en/documentation/red_hat_developer_hub/1.4/html/configuring/provisioning-and-using-your-custom-configuration#provisioning-your-custom-configuration\n \ # for more details.\n ###########################################################################################################\n \ auth:\n environment: development\n providers: \n {}\n"

📚 Focus areas based on broader codebase context Misconfiguration The updated default config sets auth.environment: development but leaves auth.providers as an empty map ({}), which likely won't satisfy the stated goal of having a zero-config dev experience (and may still produce auth-related errors). Consider adding the guest provider under auth.providers for development, matching the established pattern used elsewhere in the repo. (Ref 3, Ref 4) auth: environment: development providers: {} Reference reasoning: The repo’s example configurations for development explicitly configure auth.providers.guest (with dangerouslyAllowOutsideDevelopment: true) to enable unauthenticated access to certain endpoints during development, rather than leaving providers empty. This indicates the intended “works out of the box” dev setup includes a guest provider block, not {}.

📄 References redhat-developer/rhdh-operator/examples/raw-runtime-config.yaml [1-25] redhat-developer/rhdh-operator/examples/pvc-dp-cache.yaml [60-83] redhat-developer/rhdh-operator/examples/orchestrator.yaml [18-37] redhat-developer/rhdh-operator/examples/rhdh-cr-with-app-configs.yaml [17-36] redhat-developer/rhdh-operator/examples/rhdh-cr.yaml [5-30] redhat-developer/rhdh-operator/examples/rhdh-cr-with-app-configs.yaml [1-15] redhat-developer/rhdh/scripts/rhdh-openshift-setup/values.yaml [253-270] redhat-developer/rhdh/e2e-tests/playwright/utils/authentication-providers/yamls/configmap.yaml [1-42]

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[rhdh-qodo-merge]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	restore import alias Restore the v1 alias for the k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 import to prevent potential compilation errors in the auto-generated code. api/v1alpha3/zz_generated.deepcopy.go [8] -"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" +v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" Apply / Chat Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies that removing the v1 import alias in an auto-generated file will likely cause compilation errors, making this a critical fix for correctness.	High
General	Improve readability of nested YAML Reformat the app-config.yaml value from a single-line escaped string to a multi-line YAML block scalar (|) to improve readability and maintainability. bundle/rhdh/manifests/rhdh-default-config_v1_configmap.yaml [3-12] -app-config.yaml: "apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: my-backstage-config-cm1 # placeholder for <bs>-default-appconfig\ndata:\n default.app-config.yaml: |\n ###########################################################################################################\n # /!\\ WARNING\n #\n # This is the default app-config file created and managed by the Operator for your CR.\n # Do NOT edit this manually in the Cluster, as your changes will be overridden by the Operator upon the\n # next reconciliation.\n # If you want to customize the application configuration, you should create your own app-config ConfigMap\n # and reference it in your CR.\n # See https://docs.redhat.com/en/documentation/red_hat_developer_hub/1.4/html/configuring/provisioning-and-using-your-custom-configuration#provisioning-your-custom-configuration\n # for more details.\n ###########################################################################################################\n auth:\n environment: development\n providers: \n {}\n" +app-config.yaml: | + apiVersion: v1 + kind: ConfigMap + metadata: + name: my-backstage-config-cm1 # placeholder for <bs>-default-appconfig + data: + default.app-config.yaml: | + ########################################################################################################### + # /!\ WARNING + # + # This is the default app-config file created and managed by the Operator for your CR. + # Do NOT edit this manually in the Cluster, as your changes will be overridden by the Operator upon the + # next reconciliation. + # If you want to customize the application configuration, you should create your own app-config ConfigMap + # and reference it in your CR. + # See https://docs.redhat.com/en/documentation/red_hat_developer_hub/1.4/html/configuring/provisioning-and-using-your-custom-configuration#provisioning-your-custom-configuration + # for more details. + ########################################################################################################### + auth: + environment: development + providers: {} [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 6 __ Why: The suggestion correctly identifies that converting a multi-line YAML to a single-line escaped string significantly harms readability and maintainability, and proposes reverting to a block scalar.	Low
	fix install config block In dist/rhdh/install.yaml, reformat the app-config.yaml value from a single-line escaped string to a multi-line YAML block scalar (|) for improved readability. dist/rhdh/install.yaml [1816-1825] -app-config.yaml: "apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: my-backstage-config-cm1 # placeholder for <bs>-default-appconfig\ndata:\n default.app-config.yaml: |\n ###########################################################################################################\n # /!\\ WARNING\n # ...\n auth:\n environment: development\n providers: \n {}\n" +app-config.yaml: | + apiVersion: v1 + kind: ConfigMap + metadata: + name: my-backstage-config-cm1 # placeholder for <bs>-default-appconfig + data: + default.app-config.yaml: | + ########################################################################################################### + # /!\ WARNING + # + # This is the default app-config file created and managed by the Operator for your CR. + # Do NOT edit this manually in the Cluster, as your changes will be overridden on reconciliation. + # If you want to customize the application configuration, create your own ConfigMap and reference it. + ########################################################################################################### + auth: + environment: development + providers: {} [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 6 __ Why: The suggestion correctly identifies that converting a multi-line YAML to a single-line escaped string harms readability, and proposes reverting to a block scalar for better maintainability.	Low
Organization best practice	Normalize YAML map formatting Normalize the YAML formatting by removing trailing spaces and expressing the empty map inline to avoid ambiguous indentation/serialization differences across tooling. config/profile/rhdh/default-config/app-config.yaml [18-21] auth: environment: development - providers: - {} + providers: {} Apply / Chat Suggestion importance[1-10]: 6 __ Why: Relevant best practice - Keep configuration defaults unambiguous and correctly formatted (avoid trailing spaces and multi-line empty maps that can confuse users and tooling).	Low
More

[github-actions]

PR images are available:

1. https://quay.io/rhdh-community/operator:0.10.0-pr-2307-36a9cd7
2. https://quay.io/rhdh-community/operator-bundle:0.10.0-pr-2307-36a9cd7
3. https://quay.io/rhdh-community/operator-catalog:0.10.0-pr-2307-36a9cd7