Merge branch 'release-1.5' into RHIDP-6323

Author: Gerry-Forde

artifacts/rhdh-plugins-reference/argocd/argocd-plugin-admin.adoc

@@ -70,6 +70,159 @@ global:
         disabled: false
 ----
 
+== Enabling Argo CD Rollouts
+
+The optional Argo CD Rollouts feature enhances Kubernetes by providing advanced deployment strategies, such as blue-green and canary deployments, for your applications. When integrated into the backstage Kubernetes plugin, it allows developers and operations teams to visualize and manage Argo CD Rollouts seamlessly within the Backstage interface.
+
+.Prerequisites
+
+* The Backstage Kubernetes plugin (`@backstage/plugin-kubernetes`) is installed and configured. 
+
+** To install and configure Kubernetes plugin in Backstage, see link:https://backstage.io/docs/features/kubernetes/installation/[Installaltion] and link:https://backstage.io/docs/features/kubernetes/configuration/[Configuration] guide.
+
+* You have access to the Kubernetes cluster with the necessary permissions to create and manage custom resources and `ClusterRoles`.
+
+* The Kubernetes cluster has the `argoproj.io` group resources (for example, Rollouts and AnalysisRuns) installed.
+
+.Procedure
+
+. In the `app-config.yaml` file in your Backstage instance, add the following `customResources` component under the `kubernetes` configuration to enable Argo Rollouts and AnalysisRuns:
+
++
+[source,yaml]
+----
+kubernetes:
+  ...
+  customResources:
+    - group: 'argoproj.io'
+      apiVersion: 'v1alpha1'
+      plural: 'Rollouts'
+    - group: 'argoproj.io'
+      apiVersion: 'v1alpha1'
+      plural: 'analysisruns'
+----
+
+. Grant `ClusterRole` permissions for custom resources.
+
++
+[NOTE]
+====
+
+* If the Backstage Kubernetes plugin is already configured, the `ClusterRole` permissions for Rollouts and AnalysisRuns might already be granted.
+
+* Use the link:https://raw.githubusercontent.com/backstage/community-plugins/main/workspaces/redhat-argocd/plugins/argocd/manifests/clusterrole.yaml[prepared manifest] to provide read-only `ClusterRole` access to both the Kubernetes and ArgoCD plugins.
+====
+
+.. If the `ClusterRole` permission is not granted, use the following YAML manifest to create the `ClusterRole`:
+
++
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: backstage-read-only
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - rollouts
+      - analysisruns
+    verbs:
+      - get
+      - list
+----
+
+.. Apply the manifest to the cluster using `kubectl`:
++
+[source,bash]
+----
+kubectl apply -f <your-clusterrole-file>.yaml
+----
+
+.. Ensure the `ServiceAccount` accessing the cluster has this `ClusterRole` assigned.
+
+. Add annotations to `catalog-info.yaml` to identify Kubernetes resources for Backstage.
+
+.. For identifying resources by entity ID:
++
+[source,yaml]
+----
+annotations:
+  ...
+  backstage.io/kubernetes-id: <BACKSTAGE_ENTITY_NAME>
+----
+
+.. (Optional) For identifying resources by namespace:
++
+[source,yaml]
+----
+annotations:
+  ...
+  backstage.io/kubernetes-namespace: <RESOURCE_NAMESPACE>
+----
+
+.. For using custom label selectors, which override resource identification by entity ID or namespace:
++
+[source,yaml]
+----
+annotations:
+  ...
+  backstage.io/kubernetes-label-selector: 'app=my-app,component=front-end'
+----
++
+[NOTE]
+====
+Ensure you specify the labels declared in `backstage.io/kubernetes-label-selector` on your Kubernetes resources. This annotation overrides entity-based or namespace-based identification annotations, such as `backstage.io/kubernetes-id` and `backstage.io/kubernetes-namespace`.
+====
+
+. Add label to Kubernetes resources to enable Backstage to find the appropriate Kubernetes resources.
+
+.. Backstage Kubernetes plugin label: Add this label to map resources to specific Backstage entities.
++
+[source,yaml]
+----
+labels:
+  ...
+  backstage.io/kubernetes-id: <BACKSTAGE_ENTITY_NAME>
+----
+
+.. GitOps application mapping: Add this label to map Argo CD Rollouts to a specific GitOps application
++
+[source,yaml]
+----
+labels:
+  ...
+  app.kubernetes.io/instance: <GITOPS_APPLICATION_NAME>
+----
+
++
+[NOTE]
+====
+If using the label selector annotation (backstage.io/kubernetes-label-selector), ensure the specified labels are present on the resources. The label selector will override other annotations like kubernetes-id or kubernetes-namespace.
+====
+
+.Verification
+
+. Push the updated configuration to your GitOps repository to trigger a rollout.
+
+. Open {Product} interface and navigate to the entity you configured.
+
+. Select the *CD* tab and then select the *GitOps application*. The side panel opens. 
+
+. In the *Resources* table of the side panel, verify that the following resources are displayed:
+
+* Rollouts
+
+* AnalysisRuns (optional)
+
+. Expand a rollout resource and review the following details:
+
+* The Revisions row displays traffic distribution details for different rollout versions.
+
+* The Analysis Runs row displays the status of analysis tasks that evaluate rollout success.
+
+
 [role="_additional-resources"]
 .Additional resources
 

assemblies/assembly-configuring-authorization-in-rhdh.adoc

@@ -41,6 +41,9 @@ include::assembly-managing-authorizations-by-using-the-rest-api.adoc[leveloffset
 include::assembly-managing-authorizations-by-using-external-files.adoc[leveloffset=+1]
 
 
+include::assembly-configuring-guest-access-with-rbac-ui.adoc[leveloffset=+1]
+
+
 include::modules/authorization/ref-rbac-permission-policies.adoc[leveloffset=+1]
 
 

assemblies/assembly-configuring-guest-access-with-rbac-ui.adoc

@@ -0,0 +1,13 @@
+[id="configuring-guest-access-with-rbac-ui_{context}"]
+= Configuring guest access with RBAC UI
+
+Use guest access with the role-based access control (RBAC) front-end plugin to allow a user to test role and policy creation without the need to set up and configure an authentication provider.
+
+[NOTE]
+====
+Guest access is not recommended for production.
+====
+
+include::modules/authorization/proc-configuring-the-RBAC-backend-plugin.adoc[leveloffset=+1]
+
+include::modules/authorization/proc-setting-up-the-guest-authentication-provider.adoc[leveloffset=+1]

assemblies/assembly-configuring-readonlyrootfilesystem.adoc

@@ -0,0 +1,13 @@
+:_mod-docs-content-type: ASSEMBLY
+:context: readonlyrootfilesystem
+[id="{context}"]
+= Configuring readOnlyRootFilesystem in {product}
+
+The {product} deployment consists of two containers: an `initContainer` that installs the Dynamic Plugins, and a backend container that runs the application. The `initContainer` has the `readOnlyRootFilesystem` option enabled by default. To enable this option on the backend container, you must either have permission to deploy resources through Helm or to create or update a CR for Operator-backed deployments. You can manually configure the `readOnlyRootFilesystem` option on the backend container by using the following methods:
+
+* The {product} Operator
+* The {product} Helm chart
+
+ include::modules/configuring-readonlyrootfilesystem/proc-configuring-readonlyrootfilesystem-option-in-rhdh-operator-deployment.adoc[leveloffset=+1]
+
+ include::modules/configuring-readonlyrootfilesystem/proc-configuring-readonlyrootfilesystem-option-in-rhdh-helm-chart-deployment.adoc[leveloffset=+1]

assemblies/dynamic-plugins/assembly-install-third-party-plugins-rhdh.adoc

@@ -15,7 +15,7 @@ Plugins are defined in the `plugins` array within the `dynamic-plugin-config.yam
 
 [NOTE]
 ====
-You can also load dynamic plugins from another directory, though this is intended for development or testing purposes and is not recommended for production, except for plugins included in the {product-very-short} container image.
+You can also load dynamic plugins from another directory, though this is intended for development or testing purposes and is not recommended for production, except for plugins included in the {product-very-short} container image. For more information, see xref:proc-enable-plugins-rhdh-container-image_{context}[].
 ====
 
 //OCI image

modules/authorization/proc-configuring-the-RBAC-backend-plugin.adoc

@@ -0,0 +1,29 @@
+[id="configuring-the-rbac-backend-plugin_{context}"]
+= Configuring the RBAC backend plugin
+
+You can configure the RBAC backend plugin by updating the `app-config.yaml` file to enable the permission framework.
+
+.Prerequisites
+* You have installed the `@janus-idp/backstage-plugin-rbac` plugin in {product-short}. For more information, see link:{plugins-configure-book-url}[{plugins-configure-book-title}].
+
+.Procedure
+* Update the `app-config.yaml` file to enable the permission framework as shown:
+
+[source,yaml,subs=+quotes]
+----
+permission
+  enabled: true
+  rbac:
+    admin:
+      users:
+        - name: user:default/guest
+    pluginsWithPermission:
+      - catalog
+      - permission
+      - scaffolder
+----
+
+[NOTE]
+====
+The `pluginsWithPermission` section of the `app-config.yaml` section includes only three plugins by default. Update the section as needed to include any additional plugins that also incorporate permissions.
+====

modules/authorization/proc-setting-up-the-guest-authentication-provider.adoc

@@ -0,0 +1,26 @@
+[id="setting-up-the-guest-authentication-provider_{context}"]
+= Setting up the guest authentication provider
+
+You can enable guest authentication and use it alongside the RBAC frontend plugin.
+
+.Prerequisites
+* You have installed the `@janus-idp/backstage-plugin-rbac` plugin in {product-short}. For more information, see link:{plugins-configure-book-url}[{plugins-configure-book-title}].
+
+.Procedure
+
+* In the `app-config.yaml` file, add the user entity reference to resolve and enable the `dangerouslyAllowOutsideDevelopment` option, as shown in the following example:
+
+[source,yaml,subs="+attributes,+quotes"]
+----
+auth:
+  environment: development
+  providers:
+    guest:
+      userEntityRef: user:default/guest
+      dangerouslyAllowOutsideDevelopment: true
+----
+
+[NOTE]
+====
+You can use `user:default/guest` as the user entity reference to match the added user under the `permission.rbac.admin.users` section of the `app-config.yaml` file.
+====

modules/authorization/ref-rbac-permission-policies.adoc

@@ -135,6 +135,11 @@ Scaffolder permissions::
 |
 |`read`
 |Allows a user or role to read all scaffolder tasks and their associated events and logs
+
+|`scaffolder.template.management`
+|
+|`use`
+|Allows a user or role to access frontend template management features, including editing, previewing, and trying templates, forms, and custom fields.
 |===
 
 RBAC permissions::

modules/configuring-external-databases/proc-configuring-postgresql-instance-using-helm.adoc

@@ -24,7 +24,7 @@ By default, {product-short} uses a database for each plugin and automatically cr
 
 . Optional: Create a certificate secret to configure your PostgreSQL instance with a TLS connection:
 +
-[source,terminal]
+[source,terminal, subs="+attributes"]
 ----
 cat <<EOF | oc -n <your-namespace> create -f -
 apiVersion: v1
@@ -52,7 +52,7 @@ EOF
 
 . Create a credential secret to connect with the PostgreSQL instance:
 +
-[source,terminal]
+[source,terminal, subs="+attributes"]
 ----
 cat <<EOF | oc -n <your-namespace> create -f -
 apiVersion: v1
@@ -76,7 +76,7 @@ EOF
 
 . Configure your PostgreSQL instance in the Helm configuration file named `values.yaml`:
 +
-[source,yaml]
+[source,yaml, subs="+attributes"]
 ----
 # ...
 upstream:
@@ -89,10 +89,10 @@ upstream:
       backend:
         database:
           connection:  # configure Backstage DB connection parameters
-            host: ${POSTGRES_HOST}
-            port: ${POSTGRES_PORT}
-            user: ${POSTGRES_USER}
-            password: ${POSTGRES_PASSWORD}
+            host: $\{POSTGRES_HOST}
+            port: $\{POSTGRES_PORT}
+            user: $\{POSTGRES_USER}
+            password: $\{POSTGRES_PASSWORD}
             ssl:
               rejectUnauthorized: true,
               ca:

modules/configuring-external-databases/proc-migrating-databases-to-an-external-server.adoc

@@ -81,7 +81,7 @@ You can stop port forwarding when the copying of the data is complete. For more
 . Reconfigure your `{product-custom-resource-type}` custom resource (CR). For more information, see link:{configuring-book-url}#proc-configuring-postgresql-instance-using-operator_configuring-external-postgresql-databases[Configuring an external PostgreSQL instance using the Operator].
 . Check that the following code is present at the end of your `Backstage` CR after reconfiguration:
 +
-[source,yaml]
+[source,yaml, subs="+attributes"]
 ----
 # ...
 spec: