fix: add volume for extension catalog entities [RHIDP-11294]

[rm3l]

Description

As discussed in https://redhat-internal.slack.com/archives/C04CUSD4JSG/p1767790419980379, we need to extract the catalog entities from the index image to the /marketplace (to be replaced by /extensions in redhat-developer/rhdh-plugins#2006) folder, so that the extensions backend providers can automatically discover them. Otherwise, there are no plugins displayed in the RHDH Extensions UI.

redhat-developer/rhdh#3970 added support for specifying the extraction dir via a new CATALOG_ENTITIES_EXTRACT_DIR env var, which we now need to set in the Install Methods (and additionally add the right volume mounts - we cannot create that folder right in the main container because the root filesystem is read-only for security purposes).

On hold until redhat-developer/rhdh#3988 is merged.

Which issue(s) does this PR fix or relate to

• Fixes https://issues.redhat.com/browse/RHIDP-11294

PR acceptance criteria

• Tests updated and passing
• Documentation updated
• Built-in TechDocs updated if needed. Note that TechDocs changes may need to be reviewed by a Product Manager and/or Architect to ensure content accuracy, clarity, and alignment with user needs.

How to test changes / Special notes to the reviewer

NOTE: requires the next RHDH image tag.

Before

With the changes here

[rhdh-qodo-merge]

PR Reviewer Guide 🔍

(Review updated until commit c594fed)

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis 🔶 RHIDP-11294 - Partially compliant Compliant requirements: Add an additional /marketplace volume mount into the RHDH container (RHDH Local). Set the catalog entities extraction directory via env var to a dedicated mounted path. Non-compliant requirements: Add a new /marketplace volume into the RHDH pod and set the catalog entities extraction directory to it. Requires further human verification: Confirm the intended final mount path is /marketplace (ticket wording) vs the newly introduced /extensions, and validate expected behavior with RHDH 1.9+ in a running environment.

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🔒 No security concerns identified

⚡ Recommended focus areas for review Mount semantics The same named volume is mounted at both /extensions and /marketplace, with /marketplace marked read-only. If any runtime component still writes to /marketplace (or expects it to be writable), this could cause failures. Also, the lack of SELinux :Z/:z on these mounts may cause permission issues on SELinux-enabled hosts. - extensions-catalog:/extensions # TODO(rm3l): legacy mount path for backward compatibility, will be deprecated in a near future - extensions-catalog:/marketplace:ro depends_on: Config alignment The configured extraction dir is /extensions and is noted as requiring RHDH 1.9+. Ensure the rest of the local stack (scripts/configs) uses the same path consistently, and that fallback/compat behavior is correct for older versions given the additional legacy /marketplace mount. # Path in the install-dynamic-plugins container where the extensions catalog entities should be extracted to, from the catalog index image # Requires RHDH 1.9+ to be handled CATALOG_ENTITIES_EXTRACT_DIR=/extensions

📄 References redhat-developer/rhdh-operator/config/profile/rhdh/default-config/deployment.yaml [21-40] redhat-developer/rhdh-operator/config/profile/rhdh/default-config/deployment.yaml [42-65] redhat-developer/rhdh-chart/charts/backstage/values.yaml [220-227] redhat-developer/rhdh-chart/charts/backstage/values.yaml [37-44] redhat-developer/rhdh-operator/examples/catalog-index.yaml [1-14] redhat-developer/rhdh-operator/pkg/model/testdata/janus-deployment.yaml [36-58] redhat-developer/rhdh-operator/examples/pvc-dp-cache.yaml [60-83] redhat-developer/rhdh-operator/integration_tests/testdata/rhdh-replace-dynaplugin-root.yaml [1-14]

[rhdh-qodo-merge]

PR Type

(Describe updated until commit 1774bdc)

Enhancement

---

Description

• Add volume mounts for extension catalog entities in Docker Compose

• Configure CATALOG_ENTITIES_EXTRACT_DIR environment variable for RHDH 1.9+

• Support both /extensions and /marketplace paths for backward compatibility

• Enable automatic discovery of plugins in RHDH Extensions UI

---

File Walkthrough

Relevant files

Configuration changes

compose.yaml Add extension catalog volume mounts to services                    compose.yaml Added extensions-catalog volume mount to /extensions directory Added read-only legacy mount to /marketplace for backward compatibility Mounted extensions-catalog volume in install-dynamic-plugins service Declared new extensions-catalog named volume in volumes section +6/-1      default.env Configure catalog entities extraction directory path          default.env Added CATALOG_ENTITIES_EXTRACT_DIR environment variable set to /extensions Added documentation comment explaining the variable requires RHDH 1.9+ Clarifies extraction path for catalog index image processing +4/-0

---

[rhdh-qodo-merge]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Add SELinux relabel flag Add the :Z mount option to the extensions-catalog volume mount to ensure correct SELinux file context relabeling. compose.yaml [47] -- extensions-catalog:/marketplace +- extensions-catalog:/marketplace:Z Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly points out a missing SELinux flag, which is important for compatibility on SELinux-enabled systems and consistent with other volume mounts in the file.	Medium
Update

[rhdh-qodo-merge]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis 🔶 RHIDP-11294 - Partially compliant Compliant requirements: Add an additional /marketplace volume mount into the RHDH container (RHDH Local). Configure the catalog entities extraction directory to use that /marketplace mount. Non-compliant requirements: Requires further human verification: Verify the mounted /marketplace path is writable by the runtime user in both involved containers and that catalog entities are actually extracted there when using an RHDH 1.9+ image. Verify end-to-end behavior with a catalog index image (i.e., entities extraction + RHDH consuming the extracted entities) in a local run.

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🔒 No security concerns identified

⚡ Recommended focus areas for review Permissions The named volume mounted at /marketplace may have ownership/permission mismatches depending on the container UID/GID. Confirm both services that mount it can write/read there, or consider explicitly setting user/permissions/init logic if needed. - extensions-catalog:/marketplace depends_on: Compatibility The extraction dir is set globally via CATALOG_ENTITIES_EXTRACT_DIR=/marketplace with a comment that it requires RHDH 1.9+. Ensure older versions either ignore it safely or that local setup/docs guard against running with incompatible images. # Path in the install-dynamic-plugins container where the extensions catalog entities should be extracted to, from the catalog index image # Requires RHDH 1.9+ to be handled CATALOG_ENTITIES_EXTRACT_DIR=/marketplace

📄 References redhat-developer/rhdh-chart/charts/backstage/values.yaml [220-227] redhat-developer/rhdh-chart/charts/backstage/values.yaml [37-44] redhat-developer/rhdh-operator/examples/catalog-index.yaml [1-14] redhat-developer/rhdh-operator/config/profile/rhdh/default-config/deployment.yaml [42-65] redhat-developer/rhdh-operator/pkg/model/testdata/janus-deployment.yaml [36-58] redhat-developer/rhdh-operator/config/profile/rhdh/default-config/deployment.yaml [21-40] redhat-developer/rhdh-operator/integration_tests/testdata/rhdh-replace-dynaplugin-root.yaml [1-14] redhat-developer/rhdh-operator/examples/pvc-dp-cache.yaml [60-83]

[rhdh-qodo-merge]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	✅ Use environment variable for mount path Suggestion Impact: The volume mount for extensions-catalog was updated to use ${CATALOG_ENTITIES_EXTRACT_DIR:-/extensions} instead of a hardcoded path, making the mount location configurable via an environment variable (with a fallback). code diff: @@ -69,7 +69,7 @@ - ./local-plugins:/opt/app-root/src/local-plugins:Z - ./configs:/opt/app-root/src/configs:Z - dynamic-plugins-root:/dynamic-plugins-root - - extensions-catalog:/extensions + - extensions-catalog:${CATALOG_ENTITIES_EXTRACT_DIR:-/extensions} In compose.yaml, replace the hardcoded /marketplace path for the extensions-catalog volume with the ${CATALOG_ENTITIES_EXTRACT_DIR} environment variable and a fallback value to ensure configurability. compose.yaml [47-72] - - extensions-catalog:/marketplace + - extensions-catalog:${CATALOG_ENTITIES_EXTRACT_DIR:-/marketplace} depends_on: install-dynamic-plugins: condition: service_completed_successfully ... volumes: - ./prepare-and-install-dynamic-plugins.sh:/opt/app-root/src/prepare-and-install-dynamic-plugins.sh:Z - ./local-plugins:/opt/app-root/src/local-plugins:Z - ./configs:/opt/app-root/src/configs:Z - dynamic-plugins-root:/dynamic-plugins-root - - extensions-catalog:/marketplace + - extensions-catalog:${CATALOG_ENTITIES_EXTRACT_DIR:-/marketplace} [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies that hardcoding the /marketplace path in compose.yaml contradicts making it configurable via CATALOG_ENTITIES_EXTRACT_DIR in default.env, which would break the feature if the variable is changed.	Medium
More

[rm3l]

/review

[rhdh-qodo-merge]

Persistent review updated to latest commit c594fed

[rhdh-qodo-merge]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis 🔶 RHIDP-11294 - Partially compliant Compliant requirements: Add an additional /marketplace volume mount into the RHDH container (RHDH Local). Ensure catalog entities extraction directory is set to that mounted location so entities can be extracted from the index image into a writable path. Non-compliant requirements: Requires further human verification: Validate end-to-end that entities are extracted into /extensions and that the Extensions UI discovers/plugins are listed as expected when running with the required :next/1.9+ RHDH image.

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🔒 No security concerns identified

⚡ Recommended focus areas for review Mount Semantics The same named volume is mounted to both /extensions (rw) and /marketplace (ro). This is likely intentional for backward compatibility, but it can be surprising: any code still writing to /marketplace will now fail due to read-only mount. Confirm all writers use CATALOG_ENTITIES_EXTRACT_DIR=/extensions (and/or no remaining code paths write to /marketplace). - extensions-catalog:/extensions # TODO(rm3l): legacy mount path for backward compatibility, will be deprecated in a near future - extensions-catalog:/marketplace:ro Version Coupling The new CATALOG_ENTITIES_EXTRACT_DIR is documented as requiring RHDH 1.9+. Ensure install methods/README or runtime checks clearly communicate this requirement to avoid silent misconfiguration when running older images. # Path in the install-dynamic-plugins container where the extensions catalog entities should be extracted to, from the catalog index image # Requires RHDH 1.9+ to be handled CATALOG_ENTITIES_EXTRACT_DIR=/extensions

📄 References redhat-developer/rhdh-operator/config/profile/rhdh/default-config/deployment.yaml [42-65] redhat-developer/rhdh-operator/config/profile/rhdh/default-config/deployment.yaml [66-76] redhat-developer/rhdh-operator/config/profile/rhdh/default-config/deployment.yaml [21-40] redhat-developer/rhdh-chart/charts/backstage/values.yaml [160-178] redhat-developer/rhdh-operator/pkg/model/testdata/janus-deployment.yaml [36-58] redhat-developer/rhdh-operator/pkg/model/testdata/janus-deployment.yaml [94-96] redhat-developer/rhdh-operator/integration_tests/testdata/rhdh-replace-dynaplugin-root.yaml [1-14] redhat-developer/rhdh-operator/examples/pvc-dp-cache.yaml [60-83]

[rhdh-qodo-merge]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	✅ Load .env into container Suggestion Impact: Instead of adding `env_file`, the commit updated the volume mount to use `${CATALOG_ENTITIES_EXTRACT_DIR:-/extensions}` for the mount path, allowing the directory to be configured via an environment variable (with a default) at compose-expansion time. code diff: - - extensions-catalog:/extensions + - extensions-catalog:${CATALOG_ENTITIES_EXTRACT_DIR:-/extensions} Add env_file: - default.env to the install-dynamic-plugins service to ensure it can access the CATALOG_ENTITIES_EXTRACT_DIR variable. compose.yaml [69-74] +env_file: + - default.env volumes: - ./prepare-and-install-dynamic-plugins.sh:/opt/app-root/src/prepare-and-install-dynamic-plugins.sh:Z ... - extensions-catalog:/extensions [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 9 __ Why: This suggestion correctly identifies a critical omission; the install-dynamic-plugins service needs the env_file directive to access the newly added CATALOG_ENTITIES_EXTRACT_DIR variable, without which the feature would likely fail.	High
Security	Mount volume as read-only for security For the backstage service, make the extensions-catalog:/extensions volume mount read-only (:ro) to enhance security. compose.yaml [47] -- extensions-catalog:/extensions +- extensions-catalog:/extensions:ro Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies that the backstage service likely only needs read access to the extensions-catalog volume, and making the mount read-only improves security by applying the principle of least privilege.	Medium
More

[karthikjeeyar]

I have tested this using the RHDH marketplace wrapper update PR Image

RHDH_IMAGE=quay.io/rhdh-community/rhdh:pr-3988

[Fortune-Ndlovu]

lgtm

[Fortune-Ndlovu]

do we need doc updates here also

[rm3l]

do we need doc updates here also

I think the comment that we have on the new env var could be enough, no? https://github.com/redhat-developer/rhdh-local/pull/150/changes#diff-809f8c700609ab7a6e6a2efafcd1c6a92b66ab54df793dafe3bec16c5387107aR18-R19

[rm3l]

redhat-developer/rhdh#3988 merged.

/hold cancel

[Fortune-Ndlovu]

lgtm