Red Hat Developer Hub 1.8

Setting up and configuring your first Red Hat Developer Hub instance

Prepare your IT infrastructure including Red Hat OpenShift Container Platform and required external components, and run your first Red Hat Developer Hub (RHDH) instance in production.

Red Hat Customer Content Services

Abstract

Prepare your IT infrastructure including Red Hat OpenShift Container Platform and required external components, and run your first Red Hat Developer Hub (RHDH) instance in production.

1. Checklist to run your first Red Hat Developer Hub (RHDH) instance in production.
2. Installing the Red Hat Developer Hub Operator
3. Preparing your external services
4. Provisioning your custom Red Hat Developer Hub configuration
5. Enabling authentication in Red Hat Developer Hub (with mandatory steps only)
6. Using the Red Hat Developer Hub Operator to run Developer Hub with your custom configuration
7. Customizing the theme mode for your Developer Hub instance
8. Managing role-based access controls (RBAC) using the Red Hat Developer Hub Web UI

Prepare your IT infrastructure including Red Hat OpenShift Container Platform and required external components, and run your first Red Hat Developer Hub (RHDH) instance in production.

1. Checklist to run your first Red Hat Developer Hub (RHDH) instance in production.

With the default configuration, Developer Hub runs with a minimal feature set that does not require secure connection to external services such as an identity provider, a Git provider, and external PostgreSQL and Redis databases.

Using critical features therefore requires following additional configuration:

For resiliency

Use an external PostgreSQL database.
Enable high-availability.

For performance

Enable assets caching to an external Redis database.

For security

Use secure connections to your external services.
Provision users and enable authentication.
Enable role-based access control, and configure the permission policy by using the Web UI.

For adapting to your environment

Enable GitHub repository discovery.
Customize Developer Hub appearance with your logo.

2. Installing the Red Hat Developer Hub Operator

As an administrator, you can install the Red Hat Developer Hub Operator. Authorized users can use the Operator to install Red Hat Developer Hub on Red Hat OpenShift Container Platform (OpenShift Container Platform) and supported Kubernetes platforms. For more information on supported platforms and versions, see the Red Hat Developer Hub Life Cycle page.

Containers are available for the following CPU architectures:

AMD64 and Intel 64 (x86_64)

Prerequisites

You are logged in as an administrator on the OpenShift Container Platform web console.
You have configured the appropriate roles and permissions within your project to create or access an application. For more information, see the Red Hat OpenShift Container Platform documentation on Building applications.
You have installed Red Hat OpenShift Container Platform 4.16 to 4.19.
Make sure that your system meets the minimum sizing requirements. See Sizing requirements for Red Hat Developer Hub.

Procedure

In the navigation menu of the OpenShift Container Platform console, click Operators > OperatorHub.
In the Filter by keyword box, enter Developer Hub and click the Red Hat Developer Hub Operator card.
On the Red Hat Developer Hub Operator page, read the information about the Operator and click Install to open the Install Operator page.
After the Operator is successfully installed, provision your custom configuration:
Before you create a Developer Hub instance, you must create the required config map and Secret resources in your project. These include the baseUrl and service-to-service authentication secrets.
For detailed steps, see Provisioning your custom Red Hat Developer Hub configuration.
From the Update channel drop-down menu, select the update channel that you want to use, for example, fast or fast-1.8.
Important
The `fast channel includes all of the updates available for a particular version. Any update might introduce unexpected changes in your Red Hat Developer Hub deployment. Check the release notes for details about any potentially breaking changes.
The fast-1.8 channel only provides z-stream updates, for example, updating from version 1.8.1 to 1.8.2. If you want to update the Red Hat Developer Hub y-version in the future, for example, updating from 1.8 to 1.9, you must switch to the fast-1.9 channel manually.
From the Version drop-down menu, select the version of the Red Hat Developer Hub Operator that you want to install. The default version is the latest version available in the selected channel.
Select the Operator Installation mode.
Note
The All namespaces on the cluster (default) option is selected by default. The Specific namespace on the cluster option is not currently supported.
In the Installed Namespace field, do one of the following actions:
- Select Operator recommended Namespace to create and use the rhdh-operator namespace. This option is selected by default.
- Select Select a Namespace to use an alternative namespace.
  - From the Select Project drop-down menu, do one of the following actions:
    Select an existing project.
    Select Create Project to create a new project for the Operator.
    On the Create Project dialog, enter text into the required fields and click Create.
    Important
    For enhanced security, better control over the Operator lifecycle, and preventing potential privilege escalation, install the Red Hat Developer Hub Operator in a dedicated default rhdh-operator namespace. You can restrict other users' access to the Operator resources through role bindings or cluster role bindings.
    You can also install the Operator in another namespace by creating the necessary resources, such as an Operator group. For more information, see Installing global Operators in custom namespaces.
    However, if the Red Hat Developer Hub Operator shares a namespace with other Operators, then it shares the same update policy as well, preventing the customization of the update policy. For example, if one Operator is set to manual updates, the Red Hat Developer Hub Operator update policy is also set to manual. For more information, see Colocation of Operators in a namespace.
Select the Update approval method for the Operator.
- If you select the Automatic option, the Operator is updated without requiring manual confirmation.
- If you select the Manual option, a notification opens when a new update is released in the update channel. The update must be manually approved by an administrator before installation can begin.
Click Install.
Note
If you selected a Manual approval strategy, the upgrade status of the subscription remains Upgrading until you review and approve the install plan. After you click Approve on the Install Plan page, the subscription upgrade status changes to Up to date.
If you selected an Automatic approval strategy, the upgrade status should resolve to Up to date without intervention.

Verification

Immediately after the Operator is installed, the dialog box on the OperatorHub page displays the Installed operator: ready for use message.
From the dialog box, do one of the following actions:
- Click View Operator to open the Operator details page for the Red Hat Developer Hub Operator.
- Click View all installed operators to open the Installed Operators page.
  - From the list of installed Operators, locate the Red Hat Developer Hub Operator name and details.
  - Click Red Hat Developer Hub Operator to open the Operator details page for the Red Hat Developer Hub Operator.

3. Preparing your external services

Red Hat Developer Hub relies on external services. Prepare the following required external services:

PostgreSQL database: Developer Hub stores data in a PostgreSQL database. Use an external database for resiliency and include it in your disaster recovery plan.
Redis cache: For efficiency, Developer Hub caches plugin and Techdocs assets when your provide a Redis cache server.
GitHub API access: Provide credentials to a GitHub app to enable access to the GitHub API for repository discovery.
Connection to your identity provider: Provide credentials to your identity provider to enable user provisioning and authentication.

Procedure

Get your external PostgreSQL database connection strings and certificates.
postgres-host
Your PostgreSQL instance Domain Name System (DNS) or IP address.
postgres-port
Your PostgreSQL instance port number, such as 5432.
postres-username
The user name to connect to your PostgreSQL instance.
postgres-password
The password to connect to your PostgreSQL instance.
postgres-ca.pem, postgres-key.key, postgres-crt.pem
For security, use TLS certificates to secure the connection to the database.
Get your Redis cache server connection string, such as rediss://user:pass@cache.example.com:6379. For security, consider using a rediss secure server connection.
Create a GitHub App to allow Developer Hub to access the GitHub API for repository. Opt for a GitHub App instead of an OAuth app to use fine-grained permissions, gain more control over which repositories the application can access, and use short-lived tokens.
Register a GitHub App with the following configuration:
GitHub App name
Enter a unique name identifying your GitHub App, such as integrating-with-rhdh-<GUID>.
Homepage URL
Enter your Developer Hub URL: https://<my_developer_hub_domain>.
Authorization callback URL
Enter your Developer Hub authentication backend URL: https://<my_developer_hub_domain>/api/auth/github/handler/frame.
Webhook
Clear "Active", as this is not needed for authentication and catalog providers.
App permissions
Select permissions to define the level of access for the app. Adapt permissions to your needs:
Reading software components
Contents
Read-only
Commit statuses
Read-only
Reading organization data
Members
Read-only
Publishing software templates
Set permissions if you intend to use the same GitHub App for software templates.
Administration
Read & write (for creating repositories)
Contents
Read & write
Metadata
Read-only
Pull requests
Read & write
Issues
Read & write
Workflows
Read & write (if templates include GitHub workflows)
Variables
Read & write (if templates include GitHub Action Repository Variables)
Secrets
Read & write (if templates include GitHub Action Repository Secrets)
Environments
Read & write (if templates include GitHub Environments)
Organization permissions
Members
Read-only
Where can this GitHub App be installed?
Select Only on this account.
In the General → Clients secrets section, click Generate a new client secret.
In the General → Private keys section, click Generate a private key.
In the Install App tab, choose an account to install your GitHub App on.
Save the following values for the next step:
App ID
Client ID
Client secret
Private key

4. Provisioning your custom Red Hat Developer Hub configuration

To configure Red Hat Developer Hub, provision your custom Red Hat Developer Hub config maps and secrets to {platform-long} before running Red Hat Developer Hub.

Tip

On Red Hat OpenShift Container Platform, you can skip this step to run Developer Hub with the default config map and secret. Your changes on this configuration might get reverted on Developer Hub restart.

Prerequisites

By using the {platform-cli-link}, you have access, with developer permissions, to the OpenShift cluster aimed at containing your Developer Hub instance.
You have the connection string to an active Redis server, such as rediss://user:pass@cache.example.com:6379. For security, consider using a rediss secure server connection. See Section 3, “Preparing your external services”.
You have an external PostgreSQL database, with the following details. See See Section 3, “Preparing your external services”.
postgres-host
Your PostgreSQL instance Domain Name System (DNS) or IP address.
postgres-port
Your PostgreSQL instance port number, such as 5432.
postres-username
The user name to connect to your PostgreSQL instance.
postgres-password
The password to connect to your PostgreSQL instance.
postgres-ca.pem, postgres-key.key, postgres-crt.pem
TLS certificates to secure the connection to the database.
You have a GitHub App enabling access to the GitHub API for repository discovery, with the following details. See Section 3, “Preparing your external services”.
GITHUB_INTEGRATION_APP_ID
Your GitHub integration App ID.
GITHUB_INTEGRATION_CLIENT_ID
Your GitHub integration App client ID.
GITHUB_INTEGRATION_CLIENT_SECRET
Your GitHub integration App client secret.
GITHUB_INTEGRATION_PRIVATE_KEY_FILE
Your GitHub integration App private key.

Procedure

For security, store your secrets as environment variables values in an OpenShift Container Platform secret, rather than in clear text in your configuration files. Collect all your secrets in the secrets.txt file, with one secret per line in KEY=value form.

Enter your custom logo.
```
BASE64_EMBEDDED_FULL_LOGO="data:image/svg+xml;base64,<base64_full_logo_data>"
BASE64_EMBEDDED_ICON_LOGO="data:image/svg+xml;base64,<base64_icon_logo_data>"
```
BASE64_EMBEDDED_FULL_LOGO
Enter your logo for the expanded (pinned) sidebar as a base64 encoded SVG image.
To encode your logo in base64, run:
```
$ base64 -i logo.svg
```
BASE64_EMBEDDED_ICON_LOGO
Enter your logo for the collapsed (unpinned) sidebar as a base64 encoded SVG image.
Enter the connection string to your Redis server that caches plugin assets.
```
REDIS_CONNECTION=rediss://user:pass@cache.example.com:6379
```

Enter your GitHub integration credentials:

GITHUB_INTEGRATION_APP_ID=_<Enter_the_saved_App_ID>
GITHUB_INTEGRATION_CLIENT_ID=<Enter_the_saved_Client_ID>
GITHUB_INTEGRATION_CLIENT_SECRET=<Enter_the_saved_Client_Secret>
GITHUB_INTEGRATION_HOST_DOMAIN=github.com
GITHUB_INTEGRATION_ORGANIZATION=<Enter_your_github_organization_name>
GITHUB_INTEGRATION_PRIVATE_KEY_FILE= <Enter_the_saved_Private_key>

Enter your PosgreSQL database secrets:

POSTGRES_PASSWORD: <postgres-password>
POSTGRES_PORT: "<postgres-port>"
POSTGRES_USER: <postgres-username>
POSTGRES_HOST: <postgres-host>
PGSSLMODE: verify-full
NODE_EXTRA_CA_CERTS: /opt/app-root/src/postgres-crt.pem

Enter your authentication secrets.

Author your custom app-config.yaml file. This is the main Developer Hub configuration file. You need a custom app-config.yaml file to avoid the Developer Hub installer to revert user edits during upgrades. When your custom app-config.yaml file is empty, Developer Hub is using default values.
1. For a production environment, start with the following setup:
  app-config.yaml
```
app:
  title: <Red Hat Developer Hub>
  branding:
    fullLogo: ${BASE64_EMBEDDED_FULL_LOGO}
    fullLogoWidth: 110px
    iconLogo: ${BASE64_EMBEDDED_ICON_LOGO}
backend:
  cache:
    store: redis
    connection: ${REDIS_CONNECTION}
techdocs:
  cache:
    ttl: 3600000
catalog:
  providers:
    github:
      providerId:
        organization: "${GITHUB_INTEGRATION_ORGANIZATION}"
        schedule:
          frequency:
            minutes: 30
          initialDelay:
            seconds: 15
          timeout:
            minutes: 15
integrations:
  github:
    - host: ${GITHUB_INTEGRATION_HOST_DOMAIN}
      apps:
        - appId: ${GITHUB_INTEGRATION_APP_ID}
          clientId: ${GITHUB_INTEGRATION_CLIENT_ID}
          clientSecret: ${GITHUB_INTEGRATION_CLIENT_SECRET}
          privateKey: |
            ${GITHUB_INTEGRATION_PRIVATE_KEY_FILE}
permission:
  enabled: true
  rbac:
    admin:
      users:
        - name: user:default/<your_policy_administrator_name>
    pluginsWithPermission:
      - catalog
      - scaffolder
      - permission
```
  Most fields use environment variables that you defined in secrets in the previous step.
  app
  title
  Enter your Developer Hub instance display name, such as <Red Hat Developer Hub>.
  branding
  Set your custom logo.
  Optionally, customize the width of the branding logo by changing value for the fullLogoWidth field. The following units are supported: integer, px, em, rem, percentage.
  backend
  cache
  Enable the plugins assets cache.
  techdocs
  cache
  Enable the Techdocs cache.
  catalog
  provider
  github
  Enable GitHub repository discovery.
  integrations
  github
  Enable GitHub repository discovery.
  permissions
  Enable Role-based access control. Enter your policy administrator name.
2. Additionally, provision users and enable authentication with your external identity provider.
Author your custom dynamic-plugins.yaml file to enable plugins. By default, Developer Hub enables a minimal plugin set, and disables plugins that require configuration or secrets, such as the GitHub repository discovery plugin and the Role-based access control (RBAC) plugin.
Enable the GitHub repository discovery and the RBAC features:
dynamic.plugins.yaml
```
includes:
  - dynamic-plugins.default.yaml
plugins:
  - package: ./dynamic-plugins/dist/backstage-plugin-catalog-backend-module-github
    disabled: false
  - package: ./dynamic-plugins/dist/backstage-community-plugin-rbac
    disabled: false
```
Provision your custom configuration files to your {platform} cluster.
1. Create the <my-rhdh-project> {namespace} aimed at containing your Developer Hub instance.
```
$ oc create namespace my-rhdh-project
```
2. Provision your app-config.yaml and dynamic-plugins.yaml files respectively to the my-rhdh-app-config, and dynamic-plugins-rhdh config maps in the <my-rhdh-project> project.
```
$ oc create configmap my-rhdh-app-config --from-file=app-config.yaml --namespace=my-rhdh-project
$ oc create configmap dynamic-plugins-rhdh --from-file=dynamic-plugins.yaml --namespace=my-rhdh-project
```
  Alternatively, create the config maps by using the web console.
3. Provision your secrets.txt file to the my-rhdh-secrets secret in the <my-rhdh-project> project.
```
$ oc create secret generic my-rhdh-secrets --from-file=secrets.txt --namespace=my-rhdh-project
```
  Alternatively, create the secret by using the web console.
4. Provision your PosgreSQL TLS certificates to the my-rhdh-database-secrets secret in the <my-rhdh-project> project.
```
$ oc create secret generic my-rhdh-secrets --from-file=postgres-ca.pem --from-file=postgres-crt.pem --from-file=postgres-key.key --namespace=my-rhdh-project
```

5. Enabling authentication in Red Hat Developer Hub (with mandatory steps only)

5.1. Understanding authentication and user provisioning

Learn about the authentication process from creating user and group entities in the software catalog to user sign-in, and how authentication and catalog plugins enable each step. Understanding this process is essential for successfully configuring your Developer Hub instance, securing access through authorization, and enabling features that rely on synchronized user and group data.

To fully enable catalog features, provision user and group data from the Identity Provider to the Developer Hub software catalog. Catalog provider plugins handle this task asynchronously. These plugins query the Identity Provider (IdP) for relevant user and group information, and create or update corresponding entities in the Developer Hub catalog. Scheduled provisioning ensures that the catalog accurately reflects the users and groups in your organization.

When a user attempts to access Developer Hub, Developer Hub redirects them to a configured authentication provider, such as Red Hat Build of Keycloak (RHBK), GitHub, or Microsoft Azure. This external IdP is responsible for authenticating the user.

On successful authentication, the Developer Hub authentication plugin, configured in your app-config.yaml file, processes the response from the IdP, resolves the identity in the Developer Hub software catalog, and establishes a user session within Developer Hub.

Configuring authentication and user provisioning is critical for several reasons.

Securing your Developer Hub instance by ensuring only authenticated users can gain access.
Enabling authorization by allowing you to define access controls based on user and group memberships synchronized from your IdP.
Provisioning user and group data to the catalog is necessary for various catalog features that rely on understanding entity ownership and relationships between users, groups, and software components.
Important
Without this provisioning step, features such as displaying who owns a catalog entity might not function correctly.

Tip

To explore Developer Hub features in a non-production environment, you can:

To use Developer Hub without external IdP, enable the guest user to skip configuring authentication and authorization, log in as the guest user, and access all Developer Hub features.
To use Developer Hub without authorization policies and features relying on the software catalog, you can enable the dangerouslyAllowSignInWithoutUserInCatalog resolver option. This setting bypasses the check requiring a user to be in the catalog but still enforces authentication.

Important

Developer Hub uses a one-way synchronization model, where user and group data flow from your Identity Provider to the Developer Hub software catalog. As a result, deleting users or groups manually through the Developer Hub Web UI or REST API might be ineffective or cause inconsistencies, since Developer Hub will create those entities again during the next import.

5.2. Authenticating with the Guest user

For trial or non-production environments, you can enable guest access to skip configuring authentication and authorization and explore Developer Hub features.

5.2.1. Authenticating with the Guest user on an Operator-based installation

For trial or non-production environments installed by using the Red Hat Developer Hub Operator, you can enable guest access to skip configuring authentication and authorization and explore Developer Hub features.

Prerequisites

You added a custom Developer Hub application configuration, and have enough permissions to change it.
You use the Red Hat Developer Hub Operator to run Developer Hub.

Procedure

Add the following content to the app-config.yaml file:

auth:
  environment: development
  providers:
    guest:
      dangerouslyAllowOutsideDevelopment: true

Verification

Go to the Developer Hub login page.
To log in with the Guest user account, click Enter in the Guest tile.
In the Developer Hub Settings page, your profile name is Guest.
You can use Developer Hub features.

5.2.2. Authenticating with the Guest user on a Helm-based installation

For trial or non-production environments installed by using the Red Hat Developer Hub Helm chart, you can enable guest access to skip configuring authentication and authorization and explore Developer Hub features.

Prerequisites

You added a custom Developer Hub application configuration, and have enough permissions to change it.
You use the Red Hat Developer Hub Helm chart to run Developer Hub.

Procedure

Add following content to your Red Hat Developer Hub Helm Chart:

upstream:
  backstage:
    appConfig:
      app:
        baseUrl: 'https://{{- include "janus-idp.hostname" . }}'
      auth:
        environment: development
        providers:
          guest:
            dangerouslyAllowOutsideDevelopment: true

Verification

Go to the Developer Hub login page.
To log in with the Guest user account, click Enter in the Guest tile.
In the Developer Hub Settings page, your profile name is Guest.
You can use Developer Hub features.

5.3. Enabling user authentication with Red Hat Build of Keycloak (RHBK)

Authenticate users with Red Hat Build of Keycloak (RHBK), by provisioning the users and groups from RHBK to the Developer Hub software catalog, and configuring the OpenID Connect (OIDC) authentication provider in Red Hat Developer Hub.

Prerequisites

You added a custom Developer Hub application configuration, and have enough permissions to change it.
You have enough permissions in RHSSO to create and manage a realm and a client. Alternatively, your RHBK administrator can prepare in RHBK the required realm and client for you.

Procedure

To allow Developer Hub to authenticate with RHBK, complete the steps in RHBK, to create a realm and a user and secure the first application:
1. Use an existing realm, or create a realm, with a distinctive Name such as <my_realm>. Save the value for the next step:
  - RHBK realm base URL, such as: <your_rhbk_URL>/realms/<your_realm>.
2. To register your Developer Hub in RHBK, in the created realm, secure the first application, with:
  1. Client ID: A distinctive client ID, such as <RHDH>.
  2. Valid redirect URIs: Set to the OIDC handler URL: https://<my_developer_hub_domain>/api/auth/oidc/handler/frame.
  3. Go to the Credentials tab and copy the Client secret.
  4. Save the values for the next step:
    Client ID
    Client Secret
3. To prepare for the verification steps, in the same realm, get the credential information for an existing user or create a user. Save the user credential information for the verification steps.
To add your RHSSO credentials to Developer Hub, add the following key/value pairs to your Developer Hub secrets. You can use these secrets in the Developer Hub configuration files by using their environment variable name.
KEYCLOAK_CLIENT_ID
Enter the saved Client ID.
KEYCLOAK_CLIENT_SECRET
Enter the saved Client Secret.
KEYCLOAK_BASE_URL
Enter the saved RHBK realm base URL.
Enable the Keycloak organization plugin (backstage-plugin-catalog-backend-module-keycloak-dynamic) in your dynamic-plugins.yaml file. The plugin is named after RHBK upstream project. This plugin imports RHBK users and groups to the Developer Hub software catalog.
```
plugins:
  - package: './dynamic-plugins/dist/backstage-plugin-catalog-backend-module-keycloak-dynamic'
    disabled: false
```
To provision RHBK users and groups to the Developer Hub software catalog, add the catalog.providers.keycloakOrg section to your custom Developer Hub app-config.yaml configuration file:
```
catalog:
  providers:
    keycloakOrg:
      default:
        baseUrl: ${KEYCLOAK_BASE_URL}
        clientId: ${KEYCLOAK_CLIENT_ID}
        clientSecret: ${KEYCLOAK_CLIENT_SECRET}
        realm: master
        loginRealm: master
```
baseUrl
Enter your RHBK server URL, defined earlier.
clientId
Enter your Developer Hub application client ID in RHBK, defined earlier.
clientSecret
Enter your Developer Hub application client secret in RHBK, defined earlier.
realm
Enter the realm name to provision users, such as master.
loginRealm
Enter the realm name to authenticate users, such as master.
Optional: Add optional fields. See Configuring Red Hat Developer Hub.
To set up the RHBK authentication provider in your Developer Hub custom configuration, edit your custom Developer Hub ConfigMap such as app-config-rhdh, and add the following lines to the app-config.yaml content:
```
auth:
  environment: production
  providers:
    oidc:
      production:
        metadataUrl: ${KEYCLOAK_BASE_URL}
        clientId: ${KEYCLOAK_CLIENT_ID}
        clientSecret: ${KEYCLOAK_CLIENT_SECRET}
        prompt: auto
signInPage: oidc
```
environment: production
Mark the environment as production to hide the Guest login in the Developer Hub home page.
metadataUrl, clientId, clientSecret
To configure the OIDC provider with your secrets.
sigInPage: oidc
To enable the OIDC provider as default sign-in provider.
prompt: auto
To allow the identity provider to automatically determine whether to prompt for credentials or bypass the login redirect if an active RHSSO session exists.
Note
If prompt: auto is not set, the identity provider defaults to prompt: none, which assumes that you are already logged in and rejects sign-in requests without an active session.
Optional: Add optional fields. See Configuring Red Hat Developer Hub.

Verification

To verify user and group provisioning, check the console logs.

Successful synchronization example:

2025-06-27T16:02:34.647Z catalog info Read 5 Keycloak users and 3 Keycloak groups in 0.4 seconds. Committing... class="KeycloakOrgEntityProvider" taskId="KeycloakOrgEntityProvider:default:refresh" taskInstanceId="db55c34b-46b3-402b-b12f-2fbc48498e82" trace_id="606f80a9ce00d1c86800718c4522f7c6" span_id="7ebc2a254a546e90" trace_flags="01"

2025-06-27T16:02:34.650Z catalog info Committed 5 Keycloak users and 3 Keycloak groups in 0.0 seconds. class="KeycloakOrgEntityProvider" taskId="KeycloakOrgEntityProvider:default:refresh" taskInstanceId="db55c34b-46b3-402b-b12f-2fbc48498e82" trace_id="606f80a9ce00d1c86800718c4522f7c6" span_id="7ebc2a254a546e90" trace_flags="01"

To verify RHBK user authentication:
1. Go to the Developer Hub login page.
2. Your Developer Hub sign-in page displays Sign in using OIDC and the Guest user sign-in is disabled.
3. Log in with OIDC by using the saved Username and Password values.

5.4. Enabling user authentication with GitHub

Authenticate users with GitHub by provisioning the users and groups from GitHub to the Developer Hub software catalog, and configuring the GitHub authentication provider in Red Hat Developer Hub.

Prerequisites

You added a custom Developer Hub application configuration, and have enough permissions to change it.

You have enough permissions in GitHub to create and manage a GitHub App. Alternatively, you can ask your GitHub administrator to prepare the required GitHub App.

Procedure

To allow Developer Hub to authenticate with GitHub, create a GitHub App. Opt for a GitHub App instead of an OAuth app to use fine-grained permissions, use short-lived tokens, scale with the number of installations by avoiding rate limits, and have a more transparent integration by avoiding to request user input.
1. Register a GitHub App with the following configuration:
  GitHub App name
  Enter a unique name identifying your GitHub App, such as authenticating-with-rhdh-<GUID>.
  Homepage URL
  Enter your Developer Hub URL: https://<my_developer_hub_domain>.
  Authorization callback URL
  Enter your Developer Hub authentication backend URL: https://<my_developer_hub_domain>/api/auth/github/handler/frame.
  Webhook
  Clear "Active", as this is not needed for authentication and catalog providers.
  Organization permissions
  Enable Read-only access to Members.
  Where can this GitHub App be installed?
  Select Only on this account.
2. In the General → Clients secrets section, click Generate a new client secret.
3. In the Install App tab, choose an account to install your GitHub App on.
4. Save the following values for the next step:
  - Client ID
  - Client secret
To add your GitHub credentials to Developer Hub, add the following key/value pairs to your Developer Hub secrets. You can use these secrets in the Developer Hub configuration files by using their environment variable name.
GITHUB_CLIENT_ID
Enter the saved Client ID.
GITHUB_CLIENT_SECRET
Enter the saved Client Secret.
GITHUB_URL
Enter the GitHub host domain: github.com.
GITHUB_ORG
Enter your GitHub organization name, such as <your_github_organization_name>.
Enable the GitHub organization provisioning plugin (backstage-plugin-catalog-backend-module-github-org). This plugin imports GitHub users and groups to the Developer Hub software catalog.
dynamic-plugins.yaml file fragment:
```
plugins:
  - package: './dynamic-plugins/dist/backstage-plugin-catalog-backend-module-github-org'
    disabled: false
```
Provision GitHub users and groups to the Developer Hub software catalog by adding the catalog.providers.githubOrg section to your custom Developer Hub app-config.yaml configuration file:
```
catalog:
  providers:
    githubOrg:
      id: githuborg
      githubUrl: "${GITHUB_URL}"
      orgs: [ "${GITHUB_ORG}" ]
      schedule:
        frequency:
          minutes: 30
        initialDelay:
          seconds: 15
        timeout:
          minutes: 15
```
id
Enter a stable identifier for this provider, such as githuborg. Entities from this provider are associated with this identifier, therefore you must take care not to change it over time since that might lead to orphaned entities or conflicts.
githubUrl
Enter the configured secret variable name: ${GITHUB_URL}.
orgs
Enter the configured secret variable name: ${GITHUB_ORG}.
schedule.frequency
Enter your schedule frequency, in the cron, ISO duration, or "human duration" format.
schedule.timeout
Enter your schedule timeout, in the ISO duration or "human duration" format.
schedule.initialDelay
Enter your schedule initial delay, in the ISO duration or "human duration" format.
To set up the GitHub authentication provider, add the auth.providers.github section to your app-config.yaml file:
```
auth:
  environment: production
  providers:
    github:
      production:
        clientId: ${GITHUB_CLIENT_ID}
        clientSecret: ${GITHUB_CLIENT_SECRET}
signInPage: github
```
environment
Enter production to disable the Guest login option in the Developer Hub login page.
clientId
Enter the configured secret variable name: ${GITHUB_CLIENT_ID}.
clientSecret
Enter the configured secret variable name: ${GITHUB_CLIENT_SECRET}.
signInPage
Enter github to enable the GitHub provider as your Developer Hub sign-in provider.
Optional: Consider adding optional fields. See Configuring Red Hat Developer Hub.

Verification

Verify user and group provisioning by checking the console logs.

Successful synchronization example:

{"class":"GithubMultiOrgEntityProvider","level":"info","message":"Reading GitHub users and teams for org: rhdh-dast","plugin":"catalog","service":"backstage","target":"https://github.com","taskId":"GithubMultiOrgEntityProvider:githuborg:refresh","taskInstanceId":"801b3c6c-167f-473b-b43e-e0b4b780c384","timestamp":"2024-09-09 23:55:58"}
{"class":"GithubMultiOrgEntityProvider","level":"info","message":"Read 7 GitHub users and 2 GitHub groups in 0.4 seconds. Committing...","plugin":"catalog","service":"backstage","target":"https://github.com","taskId":"GithubMultiOrgEntityProvider:githuborg:refresh","taskInstanceId":"801b3c6c-167f-473b-b43e-e0b4b780c384","timestamp":"2024-09-09 23:55:59"}

To verify GitHub authentication:
1. Go to the Developer Hub login page.
2. Your Developer Hub sign-in page displays Sign in using GitHub and the Guest user sign-in is disabled.
3. Log in with a GitHub account.

Additional resources

Integrating Red Hat Developer Hub with GitHub

5.5. Enabling user authentication with Microsoft Azure

Authenticate users with Microsoft Azure by provisioning the users and groups from Azure to the Developer Hub software catalog, and configuring the Azure authentication provider in Red Hat Developer Hub.

Prerequisites

You have the permission to register an application in Azure. Alternatively, you can ask your Azure administrator to prepare the required Azure application.
You added a custom Developer Hub application configuration, and have enough permissions to change it.
Your Developer Hub backend can access the following hosts:
login.microsoftonline.com
The Microsoft Azure authorization server, which enables the authentication flow.
graph.microsoft.com
The server for retrieving organization data, including user and group data, to import into the Developer Hub catalog.

Procedure

To allow Developer Hub to authenticate with Azure, Register an app by using the Azure portal.
1. Sign in to the Microsoft Entra admin center.
2. Optional: If you have access to many tenants, use the Settings icon in the top menu to switch to the tenant in which you want to register the application from the Directories + subscriptions menu.
3. Browse to Applications > App registrations, and create a New registration with the configuration:
  Name
  Enter a name to identify your application in Azure, such as <Authenticating with Developer Hub>.
  Supported account types
  Select Accounts in this organizational directory only.
  Redirect URI
  Select a platform
  Select Web.
  URL
  Enter the backend authentication URI set in Developer Hub: https://<my_developer_hub_domain>/api/auth/microsoft/handler/frame
4. On the Applications > App registrations > <Authenticating with Developer Hub> > Manage > API permissions page, Add a Permission, Microsoft Graph, select the following permissions:
  Application Permissions
  GroupMember.Read.All, User.Read.All
  Enter permissions that enable provisioning user and groups to the Developer Hub software catalog.
  Optional: Grant admin consent for these permissions. Even if your company does not require admin consent, consider doing so as it means users do not need to individually consent the first time they access Developer Hub.
  Delegated Permissions
  User.Read, email, offline_access, openid, profile
  Enter permissions that enable authenticating users.
  Optional: Enter optional custom scopes for the Microsoft Graph API that you define both here and in your app-config.yaml Developer Hub configuration file.
5. On the Applications > App registrations > <Authenticating with Developer Hub> > Manage > Certificates & secrets page, in the Client secrets tab, create a New client secret.
6. Save the following values for the next step:
  - Directory (tenant) ID
  - Application (client) ID
  - Application (client) Secret ID
To add your Azure credentials to Developer Hub, add the following key/value pairs to your Developer Hub secrets:
AUTHENTICATION_AZURE_TENANT_ID
Enter your saved Directory (tenant) ID.
AUTHENTICATION_AZURE_CLIENT_ID
Enter your saved Application (client) ID.
AUTHENTICATION_AZURE_CLIENT_SECRET
Enter your saved Application (client) secret.
Enable the Microsoft Graph organization provisioning plugin (backstage-plugin-catalog-backend-module-msgraph-dynamic) in your dynamic-plugins.yaml file. This plugin imports Azure users and groups to the Developer Hub software catalog.
```
plugins:
  - package: './dynamic-plugins/dist/backstage-plugin-catalog-backend-module-msgraph-dynamic'
    disabled: false
```
To provision Azure users and groups to the Developer Hub software catalog, add the catalog.providers.microsoftGraphOrg section to your custom Developer Hub app-config.yaml configuration file:
```
catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        target: https://graph.microsoft.com/v1.0
        tenantId: ${AUTHENTICATION_AZURE_TENANT_ID}
        clientId: ${AUTHENTICATION_AZURE_CLIENT_ID}
        clientSecret: ${AUTHENTICATION_AZURE_CLIENT_SECRET}
        schedule:
          frequency:
            hours: 1
          timeout:
            minutes: 50
          initialDelay:
            minutes: 50
```
target
Enter https://graph.microsoft.com/v1.0 to define the MSGraph API endpoint the provider is connecting to. You might change this parameter to use a different version, such as the beta endpoint.
tenandId
Enter the configured secret variable name: ${AUTHENTICATION_AZURE_TENANT_ID}.
clientId
Enter the configured secret variable name: ${AUTHENTICATION_AZURE_CLIENT_ID}.
clientSecret
Enter the configured secret variable name: ${AUTHENTICATION_AZURE_CLIENT_SECRET}.
schedule
frequency
Enter the schedule frequency in the cron, ISO duration, or human duration format. In a large organization, user provisioning might take a long time, therefore avoid using a low value.
timeout
Enter the schedule timeout in the ISO duration or human duration format. In a large organization, user provisioning might take a long time, therefore avoid using a low value.
initialDelay
Enter the schedule initial delay in the ISO duration or human duration format.
Optional: Consider adding optional fields. See Configuring Red Hat Developer Hub.
To set up the Azure authentication provider, add the auth.providers.microsoft section to your app-config.yaml file content:
```
auth:
  environment: production
  providers:
    microsoft:
      production:
        clientId: ${AUTHENTICATION_AZURE_CLIENT_ID}
        clientSecret: ${AUTHENTICATION_AZURE_CLIENT_SECRET}
        tenantId: ${AUTHENTICATION_AZURE_TENANT_ID}
signInPage: microsoft
```
environment
Enter production to disable the Guest login option in the Developer Hub login page.
clientId
Enter the configured secret variable name: ${AUTHENTICATION_AZURE_CLIENT_ID}.
clientSecret
Enter the configured secret variable name: ${AUTHENTICATION_AZURE_CLIENT_SECRET}.
tenantId
Enter the configured secret variable name: ${AUTHENTICATION_AZURE_TENANT_ID}.
signInPage
Enter microsoft to set the Azure provider as your Developer Hub sign-in provider.
Optional: Add optional fields. See Configuring Red Hat Developer Hub.

Verification

To verify user and group provisioning, check the console logs for MicrosoftGraphOrgEntityProvider events.

Successful synchronization example:

2025-06-23T13:37:55.804Z catalog info Read 9 msgraph users and 3 msgraph groups in 1.5 seconds. Committing... class="MicrosoftGraphOrgEntityProvider" taskId="MicrosoftGraphOrgEntityProvider:providerId:refresh" taskInstanceId="e104a116-6481-4ceb-9bc4-0f8f9581f959" trace_id="e4c633659cffd6b1529afa55a5bfbad7" span_id="76affd0420e8baa6" trace_flags="01"

2025-06-23T13:37:55.811Z catalog info Committed 9 msgraph users and 3 msgraph groups in 0.0 seconds. class="MicrosoftGraphOrgEntityProvider" taskId="MicrosoftGraphOrgEntityProvider:providerId:refresh" taskInstanceId="e104a116-6481-4ceb-9bc4-0f8f9581f959" trace_id="e4c633659cffd6b1529afa55a5bfbad7" span_id="76affd0420e8baa6" trace_flags="01"

To verify Azure user authentication:
1. Go to the Developer Hub login page.
2. Your Developer Hub sign-in page displays Sign in using Microsoft and the Guest user sign-in is disabled.
3. Log in with an Azure account.

6. Using the Red Hat Developer Hub Operator to run Developer Hub with your custom configuration

Use the Developer Hub Operator to run Red Hat Developer Hub with your custom configuration by creating your Backstage custom resource (CR) that can perform the following actions:

Mount files provisioned in your custom config maps.
Inject environment variables provisioned in your custom secrets.

Prerequisites

By using the OpenShift CLI (oc), you have access, with developer permissions, to the OpenShift Container Platform cluster aimed at containing your Developer Hub instance.
Section 2, “Installing the Red Hat Developer Hub Operator”
Section 4, “Provisioning your custom Red Hat Developer Hub configuration”

Procedure

Author your Backstage CR in a my-rhdh-custom-resource.yaml file to use your custom config maps and secrets.
my-rhdh-custom-resource.yaml custom resource example with dynamic plugins and RBAC policies config maps, and external PostgreSQL database secrets.
```
apiVersion: rhdh.redhat.com/v1alpha3
kind: Backstage
metadata:
  name: <my-rhdh-custom-resource>
spec:
  application:
    appConfig:
      mountPath: /opt/app-root/src
      configMaps:
         - name: my-rhdh-app-config
         - name: rbac-policies
    dynamicPluginsConfigMapName: dynamic-plugins-rhdh
    extraEnvs:
      envs:
        - name: HTTP_PROXY
          value: 'http://10.10.10.105:3128'
        - name: HTTPS_PROXY
          value: 'http://10.10.10.106:3128'
        - name: NO_PROXY
          value: 'localhost,example.org'
      secrets:
         - name: my-rhdh-secrets
    extraFiles:
      mountPath: /opt/app-root/src
      secrets:
        - name: my-rhdh-database-certificates-secrets
          key: postgres-crt.pem, postgres-ca.pem, postgres-key.key
    replicas: 2
  database:
    enableLocalDb: false
```
application
appConfig
Register your my-rhdh-app-config and rbac-policies config maps.
dynamicPluginsConfigMapName
Register your dynamic-plugins-rhdh config map.
extraEnvs
env
Enter your proxy environment variables.
secrets
Register your <my_product_secrets> and my-rhdh-database-secrets secrets.
extraFiles
secrets
Register the postgres-crt.pem, postgres-ca.pem, and postgres-key.key files contained in the my-rhdh-database-certificates-secrets secret.
replicas
Enable high availability (HA) by increasing the replicas count to a value higher or equal to 2.
database
enableLocalDb
Use your external PostgreSQL database rather than the internal PostgreSQL database.

Apply your Backstage CR to start or update your Developer Hub instance.

$ oc apply --filename=my-rhdh-custom-resource.yaml --namespace=my-rhdh-project

7. Customizing the theme mode for your Developer Hub instance

You can choose one of the following theme modes for your Developer Hub instance:

Light
Dark
Auto

Note

In Developer Hub, theme configurations are used to change the look and feel of different UI components. So, you might notice changes in different UI components, such as buttons, tabs, sidebars, cards, and tables along with some changes in background color and font used on the RHDH pages.

The default theme mode is Auto, which automatically sets the light or dark theme based on your system preferences.

Prerequisites

You are logged in to the Developer Hub web console.

Procedure

From the Developer Hub web console, click Settings.
From the Appearance panel, click Light, Dark, or Auto to change the theme mode.

8. Managing role-based access controls (RBAC) using the Red Hat Developer Hub Web UI

Policy administrators can use the Developer Hub web interface (Web UI) to allocate specific roles and permissions to individual users or groups. Allocating roles ensures that access to resources and functionalities is regulated across the Developer Hub.

With the policy administrator role in Developer Hub, you can assign permissions to users and groups. This role allows you to view, create, modify, and delete the roles using Developer Hub Web UI.

8.1. Creating a role in the Red Hat Developer Hub Web UI

You can create a role in the Red Hat Developer Hub using the Web UI.

Prerequisites

You have enabled RBAC, have a policy administrator role in Developer Hub, and have added plugins with permission.

Procedure

Go to Administration at the bottom of the sidebar in the Developer Hub.
The RBAC tab appears, displaying all the created roles in the Developer Hub.
(Optional) Click any role to view the role information on the OVERVIEW page.
Click CREATE to create a role.
Enter the name and description of the role in the given fields and click NEXT.
Add users and groups using the search field, and click NEXT.
Select Plugin and Permission from the drop-downs in the Add permission policies section.
Select or clear the Policy that you want to set in the Add permission policies section, and click NEXT.
Review the added information in the Review and create section.
Click CREATE.

Verification

The created role appears in the list available in the RBAC tab.

8.2. Editing a role in the Red Hat Developer Hub Web UI

You can edit a role in the Red Hat Developer Hub using the Web UI.

Note

The policies generated from a policy.csv or ConfigMap file cannot be edited or deleted using the Developer Hub Web UI.

Prerequisites

You have enabled RBAC, have a policy administrator role in Developer Hub, and have added plugins with permission.
The role that you want to edit is created in the Developer Hub.

Procedure

Go to Administration at the bottom of the sidebar in the Developer Hub.
The RBAC tab appears, displaying all the created roles in the Developer Hub.
(Optional) Click any role to view the role information on the OVERVIEW page.
Select the edit icon for the role that you want to edit.
Edit the details of the role, such as name, description, users and groups, and permission policies, and click NEXT.
Review the edited details of the role and click SAVE.

After editing a role, you can view the edited details of a role on the OVERVIEW page of a role. You can also edit a role’s users and groups or permissions by using the edit icon on the respective cards on the OVERVIEW page.

8.3. Deleting a role in the Red Hat Developer Hub Web UI

You can delete a role in the Red Hat Developer Hub using the Web UI.

Note

The policies generated from a policy.csv or ConfigMap file cannot be edited or deleted using the Developer Hub Web UI.

Prerequisites

You have enabled RBAC and have a policy administrator role in Developer Hub.
The role that you want to delete is created in the Developer Hub.

Procedure

Go to Administration at the bottom of the sidebar in the Developer Hub.
The RBAC tab appears, displaying all the created roles in the Developer Hub.
(Optional) Click any role to view the role information on the OVERVIEW page.
Select the delete icon from the Actions column for the role that you want to delete.
Delete this role? pop-up appears on the screen.
Click DELETE.

Legal Notice

The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

Linux® is the registered trademark of Linus Torvalds in the United States and other countries.

Java® is a registered trademark of Oracle and/or its affiliates.

XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.

MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.

Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.

The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.

All other trademarks are the property of their respective owners.