From f4b23efa57e04b252a6d36494f27d01eebb2d8aa Mon Sep 17 00:00:00 2001 From: Nick Boldt Date: Tue, 14 Jan 2025 14:23:24 -0500 Subject: [PATCH 1/4] chore: release notes for 1.3.4 Signed-off-by: Nick Boldt chore: release notes for 1.3.4 Signed-off-by: Nick Boldt --- artifacts/attributes.adoc | 4 ++-- ...mbly-release-notes-fixed-security-issues.adoc | 7 +++++++ ...st-fixed-security-issues-in-product-1.3.4.txt | 16 ++++++++++++++++ .../list-fixed-security-issues-in-rpm-1.3.4.txt | 0 ...p-fixed-security-issues-in-product-1.3.4.adoc | 1 + .../snip-fixed-security-issues-in-rpm-1.3.4.adoc | 1 + 6 files changed, 27 insertions(+), 2 deletions(-) create mode 100644 modules/release-notes/list-fixed-security-issues-in-product-1.3.4.txt create mode 100644 modules/release-notes/list-fixed-security-issues-in-rpm-1.3.4.txt create mode 100644 modules/release-notes/snip-fixed-security-issues-in-product-1.3.4.adoc create mode 100644 modules/release-notes/snip-fixed-security-issues-in-rpm-1.3.4.adoc diff --git a/artifacts/attributes.adoc b/artifacts/attributes.adoc index 379eab750c..49784b3896 100644 --- a/artifacts/attributes.adoc +++ b/artifacts/attributes.adoc @@ -11,8 +11,8 @@ :product-short: Developer Hub :product-very-short: RHDH :product-version: 1.3 -:product-bundle-version: 1.3.3 -:product-chart-version: 1.3.3 +:product-bundle-version: 1.3.4 +:product-chart-version: 1.3.4 :product-backstage-version: 1.29.2 :rhdeveloper-name: Red Hat Developer :rhel: Red Hat Enterprise Linux diff --git a/assemblies/assembly-release-notes-fixed-security-issues.adoc b/assemblies/assembly-release-notes-fixed-security-issues.adoc index d3dd348fc0..c514f84f40 100644 --- a/assemblies/assembly-release-notes-fixed-security-issues.adoc +++ b/assemblies/assembly-release-notes-fixed-security-issues.adoc @@ -4,8 +4,15 @@ This section lists security issues fixed in {product} {product-version}. + == {product} {product-bundle-version} +include::./modules/release-notes/snip-fixed-security-issues-in-product-1.3.4.adoc[leveloffset=+2] + +include::./modules/release-notes/snip-fixed-security-issues-in-rpm-1.3.4.adoc[leveloffset=+2] + +== {product} 1.3.3 + include::./modules/release-notes/snip-fixed-security-issues-in-product-1.3.3.adoc[leveloffset=+2] include::./modules/release-notes/snip-fixed-security-issues-in-rpm-1.3.3.adoc[leveloffset=+2] diff --git a/modules/release-notes/list-fixed-security-issues-in-product-1.3.4.txt b/modules/release-notes/list-fixed-security-issues-in-product-1.3.4.txt new file mode 100644 index 0000000000..d1e72dc52e --- /dev/null +++ b/modules/release-notes/list-fixed-security-issues-in-product-1.3.4.txt @@ -0,0 +1,16 @@ +# TODO verify these are fixed in the latest rhdh-hub / operator containers + +# https://errata.engineering.redhat.com/advisory/144019 +# CVE-2024-46713, kernel: perf/aux: Fix AUX buffer serialization +# CVE-2024-50208, kernel: RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages +# CVE-2024-50252, kernel: mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address +# CVE-2024-53122, kernel: mptcp: cope racing subflow creation in mptcp_rcv_space_adjust + +# https://errata.engineering.redhat.com/advisory/139648 +# CVE-2024-34156, encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion + +# https://errata.engineering.redhat.com/advisory/143859 +# CVE-2024-9287, python 3.11: Virtual environment (venv) activation scripts don't quote paths + +# https://errata.engineering.redhat.com/advisory/143848 +# CVE-2024-11168, python 3.9: Improper validation of IPv6 and IPvFuture addresses diff --git a/modules/release-notes/list-fixed-security-issues-in-rpm-1.3.4.txt b/modules/release-notes/list-fixed-security-issues-in-rpm-1.3.4.txt new file mode 100644 index 0000000000..e69de29bb2 diff --git a/modules/release-notes/snip-fixed-security-issues-in-product-1.3.4.adoc b/modules/release-notes/snip-fixed-security-issues-in-product-1.3.4.adoc new file mode 100644 index 0000000000..065df0a0fa --- /dev/null +++ b/modules/release-notes/snip-fixed-security-issues-in-product-1.3.4.adoc @@ -0,0 +1 @@ += {product} dependency updates diff --git a/modules/release-notes/snip-fixed-security-issues-in-rpm-1.3.4.adoc b/modules/release-notes/snip-fixed-security-issues-in-rpm-1.3.4.adoc new file mode 100644 index 0000000000..e4930e95c6 --- /dev/null +++ b/modules/release-notes/snip-fixed-security-issues-in-rpm-1.3.4.adoc @@ -0,0 +1 @@ += RHEL 9 platform RPM updates From afaae400712e9b6fe99129849f003efb5bd00f05 Mon Sep 17 00:00:00 2001 From: Nick Boldt Date: Tue, 14 Jan 2025 14:30:14 -0500 Subject: [PATCH 2/4] regen release notes Signed-off-by: Nick Boldt --- .../ref-release-notes-breaking-changes.adoc | 200 +++++++++--------- ...ease-notes-deprecated-functionalities.adoc | 92 ++++---- .../ref-release-notes-fixed-issues.adoc | 182 ++++++++-------- .../ref-release-notes-known-issues.adoc | 24 +++ .../ref-release-notes-new-features.adoc | 172 +++++++-------- .../ref-release-notes-technology-preview.adoc | 8 +- 6 files changed, 351 insertions(+), 327 deletions(-) diff --git a/modules/release-notes/ref-release-notes-breaking-changes.adoc b/modules/release-notes/ref-release-notes-breaking-changes.adoc index 9887d903b5..c7987c3bd9 100644 --- a/modules/release-notes/ref-release-notes-breaking-changes.adoc +++ b/modules/release-notes/ref-release-notes-breaking-changes.adoc @@ -1,100 +1,100 @@ -:_content-type: REFERENCE -[id="breaking-changes"] -= Breaking changes - -This section lists breaking changes in {product} {product-version}. - -[id="removed-functionality-rhidp-3048"] -== The 'dynamic-plugins' config map is named dynamically - -Before this update, the dynamic-plugins config map name was hardcoded. -Therefore, it was not possible to install two {product} helm charts in the same namespace. - -With this update, the dynamic-plugins config map is named dynamically based on the deployment name similar to how all other components names are generated. -When upgrading from a previous chart you might need to manually update that section of your `values.yaml` file to pull in the correct config map. - - -.Additional resources -* link:https://issues.redhat.com/browse/RHIDP-3048[RHIDP-3048] - -[id="removed-functionality-rhidp-3074"] -== Signing in without user in the software catalog is now disabled by default - -By default, it is now required for the user entity to exist in the software catalog to allow sign in. -This is required for production ready deployments since identities need to exist and originate from a trusted source (i.e. the Identity Provider) in order for security controls such as RBAC and Audit logging to be effective. -To bypass this, enable the `dangerouslySignInWithoutUserInCatalog` configuration that allows sign in without the user being in the catalog. -Enabling this option is dangerous as it might allow unauthorized users to gain access. - - -.Additional resources -* link:https://issues.redhat.com/browse/RHIDP-3074[RHIDP-3074] - -[id="removed-functionality-rhidp-3187"] -== {company-name} and Community Technology Preview (TP) plugins and actions are disabled by default - -Before this update, some {company-name} and Community Technology Preview (TP) plugins and actions were enabled by default: - -.Technology Preview plugins -* @backstage-community/plugin-catalog-backend-module-scaffolder-relation-processor (changing in RHIDP-3643) - -.Community Support plugins -* @backstage/plugin-scaffolder-backend-module-azure -* @backstage/plugin-scaffolder-backend-module-bitbucket-cloud -* @backstage/plugin-scaffolder-backend-module-bitbucket-server -* @backstage/plugin-scaffolder-backend-module-gerrit -* @backstage/plugin-scaffolder-backend-module-github -* @backstage/plugin-scaffolder-backend-module-gitlab -* @roadiehq/scaffolder-backend-module-http-request -* @roadiehq/scaffolder-backend-module-utils - -With this update, all plugins included under the link:https://access.redhat.com/support/offerings/techpreview[Technology Preview scope of support], whether from {company-name} or the community, are disabled by default. - -.Procedure -* If your workload requires these plugins, enable them in your custom resource or configmap using `disabled: false`. - -//See https://github.com/redhat-developer/red-hat-developer-hub/blob/main/dynamic-plugins.default.yaml for examples. - - -.Additional resources -* link:https://issues.redhat.com/browse/RHIDP-3187[RHIDP-3187] - -[id="removed-functionality-rhidp-4293"] -== Plugins with updated scope - -With this update, three plugins previously under the `@janus-idp` scope have moved to `@backstage-community`: - -[%header,cols=2*] -|=== -|*RHDH 1.2 Plugin Name* |*RHDH 1.3 Plugin Name* - -| `@janus-idp/backstage-plugin-argocd` -| `@backstage-community/plugin-redhat-argocd` - -| `@janus-idp/backstage-plugin-3scale-backend` -| `@backstage-community/plugin-3scale-backend` - -| `@janus-idp/backstage-plugin-catalog-backend-module-scaffolder-relation-processor` -| `@backstage-community/plugin-catalog-backend-module-scaffolder-relation-processor` -|=== - -As the scope of the previous plugins has been updated, the dynamic plugin configuration has also changed. - -[%header,cols=2*] -|=== -|*RHDH 1.2 Configuration* |*RHDH 1.3 Configuration* - -| link:https://github.com/redhat-developer/rhdh/blob/1.2.x/dynamic-plugins.default.yaml[dynamic-plugins.default.yaml] -| link:https://github.com/redhat-developer/rhdh/blob/release-1.3/dynamic-plugins.default.yaml[dynamic-plugins.default.yaml] -|=== - -.Procedure -* If your workload requires plugins with an updated scope, revise your configuration to use the latest plugins from the new scope. - -//See https://github.com/redhat-developer/red-hat-developer-hub/blob/main/dynamic-plugins.default.yaml for examples. - - -.Additional resources -* link:https://issues.redhat.com/browse/RHIDP-4293[RHIDP-4293] - - - +:_content-type: REFERENCE +[id="breaking-changes"] += Breaking changes + +This section lists breaking changes in {product} {product-version}. + +[id="removed-functionality-rhidp-3048"] +== The 'dynamic-plugins' config map is named dynamically + +Before this update, the dynamic-plugins config map name was hardcoded. +Therefore, it was not possible to install two {product} helm charts in the same namespace. + +With this update, the dynamic-plugins config map is named dynamically based on the deployment name similar to how all other components names are generated. +When upgrading from a previous chart you might need to manually update that section of your `values.yaml` file to pull in the correct config map. + + +.Additional resources +* link:https://issues.redhat.com/browse/RHIDP-3048[RHIDP-3048] + +[id="removed-functionality-rhidp-3074"] +== Signing in without user in the software catalog is now disabled by default + +By default, it is now required for the user entity to exist in the software catalog to allow sign in. +This is required for production ready deployments since identities need to exist and originate from a trusted source (i.e. the Identity Provider) in order for security controls such as RBAC and Audit logging to be effective. +To bypass this, enable the `dangerouslySignInWithoutUserInCatalog` configuration that allows sign in without the user being in the catalog. +Enabling this option is dangerous as it might allow unauthorized users to gain access. + + +.Additional resources +* link:https://issues.redhat.com/browse/RHIDP-3074[RHIDP-3074] + +[id="removed-functionality-rhidp-3187"] +== {company-name} and Community Technology Preview (TP) plugins and actions are disabled by default + +Before this update, some {company-name} and Community Technology Preview (TP) plugins and actions were enabled by default: + +.Technology Preview plugins +* @backstage-community/plugin-catalog-backend-module-scaffolder-relation-processor (changing in RHIDP-3643) + +.Community Support plugins +* @backstage/plugin-scaffolder-backend-module-azure +* @backstage/plugin-scaffolder-backend-module-bitbucket-cloud +* @backstage/plugin-scaffolder-backend-module-bitbucket-server +* @backstage/plugin-scaffolder-backend-module-gerrit +* @backstage/plugin-scaffolder-backend-module-github +* @backstage/plugin-scaffolder-backend-module-gitlab +* @roadiehq/scaffolder-backend-module-http-request +* @roadiehq/scaffolder-backend-module-utils + +With this update, all plugins included under the link:https://access.redhat.com/support/offerings/techpreview[Technology Preview scope of support], whether from {company-name} or the community, are disabled by default. + +.Procedure +* If your workload requires these plugins, enable them in your custom resource or configmap using `disabled: false`. + +//See https://github.com/redhat-developer/red-hat-developer-hub/blob/main/dynamic-plugins.default.yaml for examples. + + +.Additional resources +* link:https://issues.redhat.com/browse/RHIDP-3187[RHIDP-3187] + +[id="removed-functionality-rhidp-4293"] +== Plugins with updated scope + +With this update, three plugins previously under the `@janus-idp` scope have moved to `@backstage-community`: + +[%header,cols=2*] +|=== +|*RHDH 1.2 Plugin Name* |*RHDH 1.3 Plugin Name* + +| `@janus-idp/backstage-plugin-argocd` +| `@backstage-community/plugin-redhat-argocd` + +| `@janus-idp/backstage-plugin-3scale-backend` +| `@backstage-community/plugin-3scale-backend` + +| `@janus-idp/backstage-plugin-catalog-backend-module-scaffolder-relation-processor` +| `@backstage-community/plugin-catalog-backend-module-scaffolder-relation-processor` +|=== + +As the scope of the previous plugins has been updated, the dynamic plugin configuration has also changed. + +[%header,cols=2*] +|=== +|*RHDH 1.2 Configuration* |*RHDH 1.3 Configuration* + +| link:https://github.com/redhat-developer/rhdh/blob/1.2.x/dynamic-plugins.default.yaml[dynamic-plugins.default.yaml] +| link:https://github.com/redhat-developer/rhdh/blob/release-1.3/dynamic-plugins.default.yaml[dynamic-plugins.default.yaml] +|=== + +.Procedure +* If your workload requires plugins with an updated scope, revise your configuration to use the latest plugins from the new scope. + +//See https://github.com/redhat-developer/rhdh/blob/main/dynamic-plugins.default.yaml for examples. + + +.Additional resources +* link:https://issues.redhat.com/browse/RHIDP-4293[RHIDP-4293] + + + diff --git a/modules/release-notes/ref-release-notes-deprecated-functionalities.adoc b/modules/release-notes/ref-release-notes-deprecated-functionalities.adoc index afcc6885b3..41b8fd29d5 100644 --- a/modules/release-notes/ref-release-notes-deprecated-functionalities.adoc +++ b/modules/release-notes/ref-release-notes-deprecated-functionalities.adoc @@ -7,52 +7,52 @@ This section lists deprecated functionalities in {product} {product-version}. [id="deprecated-functionality-rhidp-1138"] == `spec.application.image`, `spec.application.replicas` and `spec.application.imagePullSecrets` fields are deprecated -`spec.application.image`, `spec.application.replicas` and `spec.application.imagePullSecrets` fields are deprecated in `v1alpha2` in favour of `spec.deployment`. - -Procedure: - -To update your {product-short} Operation configuration: - -. Remove the `spec.application.image`, `spec.application.replicas` and `spec.application.imagePullSecrets` fields from the Operator configuration: -+ -[source,yaml] ----- -spec: - application: - replicas: 2 # <1> - imagePullSecrets: # <2> - - my-secret-name - image: quay.io/my/my-rhdh:latest # <3> ----- -<1> Replica count. -<2> Array of image pull secrets names. -<3> Image name. - - -. Replace the removed fields by new `spec.deployment` fields, such as: -+ -[source,yaml] ----- -spec: - deployment: - patch: - spec: - replicas: 2 # <1> - imagePullSecrets: # <2> - - name: my-secret-name - template: - metadata: - labels: - my: true - spec: - containers: - - name: backstage-backend - image: quay.io/my/my-rhdh:latest # <3> ----- -<1> Replica count. -<2> Array of image pull secrets names. -<3> Image name. - +`spec.application.image`, `spec.application.replicas` and `spec.application.imagePullSecrets` fields are deprecated in `v1alpha2` in favour of `spec.deployment`. + +Procedure: + +To update your {product-short} Operation configuration: + +. Remove the `spec.application.image`, `spec.application.replicas` and `spec.application.imagePullSecrets` fields from the Operator configuration: ++ +[source,yaml] +---- +spec: + application: + replicas: 2 # <1> + imagePullSecrets: # <2> + - my-secret-name + image: quay.io/my/my-rhdh:latest # <3> +---- +<1> Replica count. +<2> Array of image pull secrets names. +<3> Image name. + + +. Replace the removed fields by new `spec.deployment` fields, such as: ++ +[source,yaml] +---- +spec: + deployment: + patch: + spec: + replicas: 2 # <1> + imagePullSecrets: # <2> + - name: my-secret-name + template: + metadata: + labels: + my: true + spec: + containers: + - name: backstage-backend + image: quay.io/my/my-rhdh:latest # <3> +---- +<1> Replica count. +<2> Array of image pull secrets names. +<3> Image name. + // https://github.com/redhat-developer/rhdh-operator/blob/main/docs/configuration.md#deployment-parameters diff --git a/modules/release-notes/ref-release-notes-fixed-issues.adoc b/modules/release-notes/ref-release-notes-fixed-issues.adoc index daec94dc5f..4c25cf5fec 100644 --- a/modules/release-notes/ref-release-notes-fixed-issues.adoc +++ b/modules/release-notes/ref-release-notes-fixed-issues.adoc @@ -9,8 +9,8 @@ This section lists issues fixed in {product} {product-version}. [id="bug-fix-rhidp-5180"] === Opting out of using Redis sets does not work -Before this update, configuring the `useRedisSets: false` option resulted in the `useRedisSets: true` behaviour. - +Before this update, configuring the `useRedisSets: false` option resulted in the `useRedisSets: true` behaviour. + With this update, you can now opt out of using Redis sets. It is recommended to clear your cache in order to remove any invalid keys. @@ -22,9 +22,9 @@ With this update, you can now opt out of using Redis sets. It is recommended to [id="bug-fix-rhidp-5121"] === Impossible to report a documentation issue from selected documentation content -Previously, the feature to report a documentation (techdoc) issue didn't work. When the user selected a text in the documentation, it showed a huge icon rather than a tooltip button. - -With this update, the user can select content in the documentation, and click the tooltip button to report a documentation issue. +Previously, the feature to report a documentation (techdoc) issue didn't work. When the user selected a text in the documentation, it showed a huge icon rather than a tooltip button. + +With this update, the user can select content in the documentation, and click the tooltip button to report a documentation issue. @@ -36,8 +36,8 @@ With this update, the user can select content in the documentation, and click th [id="bug-fix-rhidp-4069"] === Conditional alias `$ownerRefs` does not work -Before this update, a conditional alias that uses `$ownerRefs` did not work. - +Before this update, a conditional alias that uses `$ownerRefs` did not work. + With this update, a conditional alias can use `$ownerRefs`. @@ -59,9 +59,9 @@ With this update, the {product} Helm Chart does not contain a pull secret that i [id="bug-fix-rhidp-2139"] === Filtering for permissions policies that do not exist leads to an error being thrown -Before this update, permission checks by the permission framework would throw an error if a matching permission policy was not previously defined. -Therefore, {product-short} denied the request with an error. - +Before this update, permission checks by the permission framework would throw an error if a matching permission policy was not previously defined. +Therefore, {product-short} denied the request with an error. + With this update, {product-short} denies the request without throwing an error. @@ -72,10 +72,10 @@ With this update, {product-short} denies the request without throwing an error. [id="bug-fix-rhidp-2412"] === HTTP error code 431 when an user is member of many groups -Before this update, {product-short} API became unresponsive when a user was member of a high number of groups (more than 150) with aggregated relations. -Therefore, the user might have failed to authenticate. -Also, {product-short} might have shown an error when opening the user entity in the UI. - +Before this update, {product-short} API became unresponsive when a user was member of a high number of groups (more than 150) with aggregated relations. +Therefore, the user might have failed to authenticate. +Also, {product-short} might have shown an error when opening the user entity in the UI. + With this update, {product-short} can handle a user member of a high number of groups (more than 150) with aggregated relations. @@ -86,8 +86,8 @@ With this update, {product-short} can handle a user member of a high number of g [id="bug-fix-rhidp-2438"] === OCM calls are not scoped to the OCM page -Before this update, when the OCM plugin is installed, navigating to non-OCM pages triggered unnecessary failed OCM API calls. - +Before this update, when the OCM plugin is installed, navigating to non-OCM pages triggered unnecessary failed OCM API calls. + With this update, {product-short} restricts OCM API calls to OCM-related pages. @@ -98,10 +98,10 @@ With this update, {product-short} restricts OCM API calls to OCM-related pages. [id="bug-fix-rhidp-2529"] === When login using azure entra sso, it will use id to match the user entity, which will fail to match with user entity imported by msgraph. -Before this update, {product-short} failed to resolve user entities with Azure authentication provider to entities ingested by the MsGraph catalog provider. -Therefore, a user authentication with Microsoft Azure could not open a session in {product-short}. - -With this update, {product-short} resolves user entities with Azure authentication provider to entities ingested by the MsGraph catalog provider. +Before this update, {product-short} failed to resolve user entities with Azure authentication provider to entities ingested by the MsGraph catalog provider. +Therefore, a user authentication with Microsoft Azure could not open a session in {product-short}. + +With this update, {product-short} resolves user entities with Azure authentication provider to entities ingested by the MsGraph catalog provider. Therefore, a user authentication with Microsoft Azure can open a session in {product-short}. @@ -112,9 +112,9 @@ Therefore, a user authentication with Microsoft Azure can open a session in {pro [id="bug-fix-rhidp-2716"] === Replaced the deprecated `backend.auth.keys` field in the default configuration -Before this update, in a {product-short} deployment with the default configuration, the application logs displayed the deprecation warning. - -With this update, the default `upstream.backstage.appConfig` configuration uses the `backend.auth.externalAccess` field rather than the deprecated `backend.auth.keys` field. +Before this update, in a {product-short} deployment with the default configuration, the application logs displayed the deprecation warning. + +With this update, the default `upstream.backstage.appConfig` configuration uses the `backend.auth.externalAccess` field rather than the deprecated `backend.auth.keys` field. @@ -135,10 +135,10 @@ With this update, {product-short} does not include user IP addresses in the appl [id="bug-fix-rhidp-3159"] === The last ~10 GitHub Pull Requests are missing from the list -Before this update, {product-short} ignored GitHub search API restrictions to list pull requests. -Therefore, {product-short} might have not displayed all pull requests. - -With this update, {product-short} limits paging to max 1000 results to respect GitHub search API restrictions. +Before this update, {product-short} ignored GitHub search API restrictions to list pull requests. +Therefore, {product-short} might have not displayed all pull requests. + +With this update, {product-short} limits paging to max 1000 results to respect GitHub search API restrictions. {product-short} show users when additional results are available, suggesting in a tooltip that they can refine their query to retrieve more specific results. @@ -149,9 +149,9 @@ With this update, {product-short} limits paging to max 1000 results to respect G [id="bug-fix-rhidp-3217"] === rhtap installation always failed at RHDH due to Migration table is already locked -Before this update, after updating a config map or a secret, when pods where restarting to apply the changes, they might have tried to simultaneous lock the database. -The situation ended with a dead lock. - +Before this update, after updating a config map or a secret, when pods where restarting to apply the changes, they might have tried to simultaneous lock the database. +The situation ended with a dead lock. + With this update, {product-short} handles simultaneous pod refreshing without a dead lock. @@ -162,10 +162,10 @@ With this update, {product-short} handles simultaneous pod refreshing without a [id="bug-fix-rhidp-3260"] === Renamed optional secret dynamic-plugins-npmrc in helm chart -Before this update, the Helm Chart was using an unversioned name for the dynamic-plugins-npmrc secret. -Therefore subsequent Helm deployments of the RHDH Helm Chart version 1.2.1 failed after the first deployment with an error that a secret named dynamic-plugins-npmrc exists and is not owned by the current release. - -With this update, the Helm Chart creates and uses a dynamic-plugins-npmrc secret that is named in line with the other resources managed by the Helm Chart: `_<release-name>_-dynamic-plugins-npmrc`. +Before this update, the Helm Chart was using an unversioned name for the dynamic-plugins-npmrc secret. +Therefore subsequent Helm deployments of the RHDH Helm Chart version 1.2.1 failed after the first deployment with an error that a secret named dynamic-plugins-npmrc exists and is not owned by the current release. + +With this update, the Helm Chart creates and uses a dynamic-plugins-npmrc secret that is named in line with the other resources managed by the Helm Chart: `_<release-name>_-dynamic-plugins-npmrc`. As a result, the Helm Chart does not fail on the previous error. @@ -176,8 +176,8 @@ As a result, the Helm Chart does not fail on the previous error. [id="bug-fix-rhidp-3458"] === Backstage Specific Metrics no longer appear in /metrics endpoint -Before this update, {product-short} stopped displaying some metrics such as catalog metrics in the `__<RHDH_URL>__/metrics` endpoint. - +Before this update, {product-short} stopped displaying some metrics such as catalog metrics in the `__<RHDH_URL>__/metrics` endpoint. + With this update, {product-short} displays expected metrics in the /metrics endpoint. @@ -188,24 +188,24 @@ With this update, {product-short} displays expected metrics in the /metrics endp [id="bug-fix-rhidp-3471"] === Theme issues with plugins using material 5 -Before this update, {product-short} had theme issues with plugins using Material UI (MUI) 5. - -With this update, {product-short} includes additional MUI 5 related packages, added to the application shell as shared modules. -Therefore, dynamic plugins that use MUI 5 components and tss-react can properly load the currently selected theme. -This ensures that MUI 5 components have the correct colors and styling applied to them. - -While not strictly a requirement, if a dynamic plugin relies on MUI 5 components with a class name prefix, that behavior can be added to a frontend dynamic plugin by adding the following code to the plugin's index.ts: - ----- -import { unstable_ClassNameGenerator as ClassNameGenerator } from '@mui/material/className'; - -ClassNameGenerator.configure(componentName => { - return componentName.startsWith('v5-') - ? componentName - : `v5-${componentName}`; -}) ----- - +Before this update, {product-short} had theme issues with plugins using Material UI (MUI) 5. + +With this update, {product-short} includes additional MUI 5 related packages, added to the application shell as shared modules. +Therefore, dynamic plugins that use MUI 5 components and tss-react can properly load the currently selected theme. +This ensures that MUI 5 components have the correct colors and styling applied to them. + +While not strictly a requirement, if a dynamic plugin relies on MUI 5 components with a class name prefix, that behavior can be added to a frontend dynamic plugin by adding the following code to the plugin's index.ts: + +---- +import { unstable_ClassNameGenerator as ClassNameGenerator } from '@mui/material/className'; + +ClassNameGenerator.configure(componentName => { + return componentName.startsWith('v5-') + ? componentName + : `v5-${componentName}`; +}) +---- + This update requires using a version of the @janus-idp/cli package > 1.13.1. @@ -216,21 +216,21 @@ This update requires using a version of the @janus-idp/cli package > 1.13.1. [id="bug-fix-rhidp-3580"] === Creating RBAC role with name that contains ':' or '/' creates a role that does nothing and cannot be deleted -Before this update, creating an RBAC role with name that contains ':' or '/' through the REST API (or RBAC admin panel in the UI) created a role that did nothing and could not be deleted. -Although the name of the role showed up in full as written in the POST request, when clicked on for more information about the role it showed only the part of the name written before the first ':' or '/'. -Also while the list of RBAC roles did list how many policies were added to the role, when clicking on the role for more information it displayed no users or policies. - - -With this udpate, {product-short} validates more strictly role and namespace names in accordance with backstage validation: - -{product-short} invalidates role names that do not conform with the format: - -- Strings of length at least 1, and at most 63. -- Must consist of sequences of `[a-z0-9A-Z]` possibly separated by one of `[-_.]`. - -{product-short} invalidates namespaces that do not conform with the format: - -- Strings of length at least 1, and at most 63. +Before this update, creating an RBAC role with name that contains ':' or '/' through the REST API (or RBAC admin panel in the UI) created a role that did nothing and could not be deleted. +Although the name of the role showed up in full as written in the POST request, when clicked on for more information about the role it showed only the part of the name written before the first ':' or '/'. +Also while the list of RBAC roles did list how many policies were added to the role, when clicking on the role for more information it displayed no users or policies. + + +With this udpate, {product-short} validates more strictly role and namespace names in accordance with backstage validation: + +{product-short} invalidates role names that do not conform with the format: + +- Strings of length at least 1, and at most 63. +- Must consist of sequences of `[a-z0-9A-Z]` possibly separated by one of `[-_.]`. + +{product-short} invalidates namespaces that do not conform with the format: + +- Strings of length at least 1, and at most 63. - Must be sequences of `[a-zA-Z0-9]`, possibly separated by `-`. @@ -241,8 +241,8 @@ With this udpate, {product-short} validates more strictly role and namespace nam [id="bug-fix-rhidp-3601"] === Update contitional policies and policies loaded from files when these files are deleted -Before this update, conditional policies and policies loaded from files remained active after the corresponding policy files were removed from the configuration. - +Before this update, conditional policies and policies loaded from files remained active after the corresponding policy files were removed from the configuration. + With this update, conditional policies and policies loaded from files are removed after the corresponding policy files are removed from the configuration. @@ -253,8 +253,8 @@ With this update, conditional policies and policies loaded from files are remove [id="bug-fix-rhidp-3612"] === Fixed the timestamp inserted by `catalog:timestamping` -Before this update, the timestamp in the `catalog-info.yaml` created by the `catalog:timestamping` action by the `backstage-scaffolder-backend-module-annotator` plugin was different from the execution time of the template. - +Before this update, the timestamp in the `catalog-info.yaml` created by the `catalog:timestamping` action by the `backstage-scaffolder-backend-module-annotator` plugin was different from the execution time of the template. + With this update, a unique timestamp is generated on each execution of the template. @@ -265,9 +265,9 @@ With this update, a unique timestamp is generated on each execution of the temp [id="bug-fix-rhidp-3735"] === Added missing virtual machine details to the sidebar -Before this update, when a user displayed the virtual machine details in the sidebar, the icon corresponding to virtual machine was not shown. - -With this update, the missing icons have been added. +Before this update, when a user displayed the virtual machine details in the sidebar, the icon corresponding to virtual machine was not shown. + +With this update, the missing icons have been added. Therefore, when a user displays the virtual machine details in the sidebar, an icon shows the virtual machine status. @@ -278,8 +278,8 @@ Therefore, when a user displays the virtual machine details in the sidebar, an [id="bug-fix-rhidp-3896"] === Authenticate with GitHub a user absent in the software catalog when `dangerouslyAllowSignInWithoutUserInCatalog` is set to true -Before this update, authentication with Github failed when the `dangerouslyAllowSignInWithoutUserInCatalog` field was set to true and the user was absent from the software catalog. - +Before this update, authentication with Github failed when the `dangerouslyAllowSignInWithoutUserInCatalog` field was set to true and the user was absent from the software catalog. + With this update, when the `dangerouslyAllowSignInWithoutUserInCatalog` field is set to true, you can authenticate to {product-short} with a user absent from the software catalog. @@ -290,9 +290,9 @@ With this update, when the `dangerouslyAllowSignInWithoutUserInCatalog` field is [id="bug-fix-rhidp-4013"] === The {product-short} image defined in the custom resource takes precedence on the image defined in the environment variable -Before this update, when the {product-short} image was configured in both the custom resource and in the 'RELATED_IMAGE_backstage' environment variable, the image defined in the custom resource was not used. - -With this update, the custom resource configuration takes precedence and is applied. +Before this update, when the {product-short} image was configured in both the custom resource and in the 'RELATED_IMAGE_backstage' environment variable, the image defined in the custom resource was not used. + +With this update, the custom resource configuration takes precedence and is applied. @@ -303,10 +303,10 @@ With this update, the custom resource configuration takes precedence and is appl [id="bug-fix-rhidp-4046"] === Updated the search dropdown to display results for a large number of users or groups -Before this update, in the RBAC administration page, the members dropdown was not able to load a large number of users or groups. -Therefore, the {product-short} administrator was not able to select required users or groups to add to the role. - -With this update, the dropdown displays initially up to 100 users or groups shown and updates the display once the user starts to search. The search happens across the whole data-set and displays the first 100 results. The user must refine their search to narrow the results to a list containing the desired user or group. +Before this update, in the RBAC administration page, the members dropdown was not able to load a large number of users or groups. +Therefore, the {product-short} administrator was not able to select required users or groups to add to the role. + +With this update, the dropdown displays initially up to 100 users or groups shown and updates the display once the user starts to search. The search happens across the whole data-set and displays the first 100 results. The user must refine their search to narrow the results to a list containing the desired user or group. Therefore, even with larger numbers or users/groups, the {product-short} administrator can add required users or groups to the role. @@ -317,10 +317,10 @@ Therefore, even with larger numbers or users/groups, the {product-short} adminis [id="bug-fix-rhidp-4200"] === Bundled ArgoCD plugin with dynamic frontent assets -Before this update, the ArgoCD plugin was bundled with dynamic backend plugin assets rather than dynamic frontend plugin assets. -Therefore the ArgoCD plugin failed to load. - -With this update, the ArgoCD plugin is bundled with dynamic frontend plugin assets. +Before this update, the ArgoCD plugin was bundled with dynamic backend plugin assets rather than dynamic frontend plugin assets. +Therefore the ArgoCD plugin failed to load. + +With this update, the ArgoCD plugin is bundled with dynamic frontend plugin assets. Therefore the ArgoCD plugin can load properly. @@ -332,8 +332,8 @@ Therefore the ArgoCD plugin can load properly. [id="bug-fix-rhidp-2374"] === Added missing plugin name in the RBAC administration interface -Before this update, the RBAC administration user interface *Permission Policies* table did not display the plugin name. - +Before this update, the RBAC administration user interface *Permission Policies* table did not display the plugin name. + With this update, the RBAC administration user interface *Permission Policies* table displays the plugin name. diff --git a/modules/release-notes/ref-release-notes-known-issues.adoc b/modules/release-notes/ref-release-notes-known-issues.adoc index 0b577a7a7b..8d2c698773 100644 --- a/modules/release-notes/ref-release-notes-known-issues.adoc +++ b/modules/release-notes/ref-release-notes-known-issues.adoc @@ -4,6 +4,19 @@ This section lists known issues in {product} {product-version}. +[id="known-issue-rhidp-5342"] +== [Helm] Cannot run 2 RHDH replicas on different nodes due to Multi-Attach errors on the dynamic plugins root PVC + +If you are deploying {product-short} using the Helm Chart, it is currently impossible to have 2 replicas running on different cluster nodes. This might also affect the upgrade from 1.3 to 1.4.0 if the new pod is scheduled on a different node. + +A possible workaround for the upgrade is to manually scale down the number of replicas to 0 before upgrading your Helm release. Or manually remove the old {product-short} pod after upgrading the Helm release. However, this would imply some application downtime. +You can also leverage a Pod Affinity rule to force the cluster scheduler to run your {product-short} pods on the same node. + + + +.Additional resources +* link:https://issues.redhat.com/browse/RHIDP-5342[RHIDP-5342] + [id="known-issue-rhidp-5284"] == Entities of repositories under a configured org in catalog-backend-module-github-org plugin are not deleted from the catalog when the imported repository is deleted from bulk imports @@ -13,6 +26,17 @@ Repositories might be added to Developer Hub from various sources (like statical .Additional resources * link:https://issues.redhat.com/browse/RHIDP-5284[RHIDP-5284] +[id="known-issue-rhidp-4695"] +== [Doc] OIDC refresh token behaviour + +When using {rhsso-brand-name} or {rhbk-brand-name} as an OIDC provider, it should be noted that the default access token lifespan is set to 5 minutes. This corresponds to the token refresh grace period set in {product-short} which is the threshold used to trigger a new refresh token call. Since the token is always near expiration, this will cause performance issues from frequent refresh token requests. It's recommended to increase the lifespan in the {rhsso-brand-name} or {rhbk-brand-name} serve by setting *Configure > Realm Settings> Access Token Lifespan* to a value that is greater than 5 minutes. + + + + +.Additional resources +* link:https://issues.redhat.com/browse/RHIDP-4695[RHIDP-4695] + [id="known-issue-rhidp-4067"] == Bulk Import: Added repositories count is incorrect diff --git a/modules/release-notes/ref-release-notes-new-features.adoc b/modules/release-notes/ref-release-notes-new-features.adoc index ed6dc2efd6..290e966028 100644 --- a/modules/release-notes/ref-release-notes-new-features.adoc +++ b/modules/release-notes/ref-release-notes-new-features.adoc @@ -7,9 +7,9 @@ This section highlights new features in {product} {product-version}. [id="feature-rhidp-2232"] == Customizing the deployment by using the custom resource -With this update, when deploying {product} by using the operator, you can configure the {product-short} Deployment resource. -The {product-short} Operator Custom Resource Definition (CRD) API Version has been updated to `rhdh.redhat.com/v1alpha2`. -This CRD exposes a generic `spec.deployment.patch` field, which allows you to patch the {product-short} Deployment resource. +With this update, when deploying {product} by using the operator, you can configure the {product-short} Deployment resource. +The {product-short} Operator Custom Resource Definition (CRD) API Version has been updated to `rhdh.redhat.com/v1alpha2`. +This CRD exposes a generic `spec.deployment.patch` field, which allows you to patch the {product-short} Deployment resource. [id="feature-rhidp-2341"] @@ -20,13 +20,13 @@ With this update, as a {product-short} administrator, you can create and edit ne [id="enhancement-rhidp-2615"] == Persisting the audit log -With this update, you can persist the audit log: - -* You can send {product} audit logs to a rotating file. - -* You can send logs to a locked down file with append only rights. - -* When using the Helm chart, {product-short} writes logs to persistent volumes. +With this update, you can persist the audit log: + +* You can send {product} audit logs to a rotating file. + +* You can send logs to a locked down file with append only rights. + +* When using the Helm chart, {product-short} writes logs to persistent volumes. [id="feature-rhidp-2643"] @@ -37,10 +37,10 @@ With this update, you can provide transformer functions for users and groups to [id="feature-rhidp-2644"] == Expose extension points for the keycloak-backend plugin -With this update, you can provide transformer functions for user/group to mutate the entity from Keycloak before their ingestion into the catalog with the new Backstage backend. - -.Procedure -. Create a backend module. +With this update, you can provide transformer functions for user/group to mutate the entity from Keycloak before their ingestion into the catalog with the new Backstage backend. + +.Procedure +. Create a backend module. . Provide the custom transformers to the `keycloakTransformerExtensionPoint` extension point exported by the package. [id="enhancement-rhidp-2695"] @@ -56,49 +56,49 @@ With this update, {product-short} can load roles and permissions into the RBAC B [id="enhancement-rhidp-2736"] == Force catalog ingestion for production users -By default, it is now required for the user entity to exist in the software catalog to allow sign in. -This is required for production ready deployments since identities need to exist and originate from a trusted source (i.e. the Identity Provider) in order for security controls such as RBAC and Audit logging to be effective. -To bypass this, enable the `dangerouslySignInWithoutUserInCatalog` configuration that allows sign in without the user being in the catalog. +By default, it is now required for the user entity to exist in the software catalog to allow sign in. +This is required for production ready deployments since identities need to exist and originate from a trusted source (i.e. the Identity Provider) in order for security controls such as RBAC and Audit logging to be effective. +To bypass this, enable the `dangerouslySignInWithoutUserInCatalog` configuration that allows sign in without the user being in the catalog. Enabling this option is dangerous as it might allow unauthorized users to gain access. [id="enhancement-rhidp-2768"] == RBAC UI enhancements -With this update, the RBAC UI has been improved: - -* The **Create role** form and the **Role** overview page display the total number of conditional rules configured. -* The **Role** list page displays accessible plugins. +With this update, the RBAC UI has been improved: + +* The **Create role** form and the **Role** overview page display the total number of conditional rules configured. +* The **Role** list page displays accessible plugins. [id="enhancement-rhidp-2790"] == Updated Backstage version -With this update, Backstage was updated to version {product-backstage-version}. - -.Additional resources: -* link:https://github.com/backstage/backstage/releases/tag/v1.27.0[Backstage 1.27 release notes] -* link:https://github.com/backstage/backstage/blob/v1.27.0/docs/releases/v1.27.0-changelog.md[Backstage 1.27 changelog] -* link:https://github.com/backstage/backstage/releases/tag/v1.28.0[Backstage 1.28 release notes] -* link:https://github.com/backstage/backstage/blob/v1.28.0/docs/releases/v1.28.0-changelog.md[Backstage 1.28 changelog] -* link:https://github.com/backstage/backstage/releases/tag/v1.29.0[Backstage 1.29 release notes] -* link:https://github.com/backstage/backstage/blob/v1.29.2/docs/releases/v1.29.0-changelog.md[Backstage 1.29 changelog] -* link:https://issues.redhat.com/browse/RHIDP-2794[RHIDP-2794] -* link:https://issues.redhat.com/browse/RHIDP-2847[RHIDP-2847] +With this update, Backstage was updated to version {product-backstage-version}. + +.Additional resources: +* link:https://github.com/backstage/backstage/releases/tag/v1.27.0[Backstage 1.27 release notes] +* link:https://github.com/backstage/backstage/blob/v1.27.0/docs/releases/v1.27.0-changelog.md[Backstage 1.27 changelog] +* link:https://github.com/backstage/backstage/releases/tag/v1.28.0[Backstage 1.28 release notes] +* link:https://github.com/backstage/backstage/blob/v1.28.0/docs/releases/v1.28.0-changelog.md[Backstage 1.28 changelog] +* link:https://github.com/backstage/backstage/releases/tag/v1.29.0[Backstage 1.29 release notes] +* link:https://github.com/backstage/backstage/blob/v1.29.2/docs/releases/v1.29.0-changelog.md[Backstage 1.29 changelog] +* link:https://issues.redhat.com/browse/RHIDP-2794[RHIDP-2794] +* link:https://issues.redhat.com/browse/RHIDP-2847[RHIDP-2847] * link:https://issues.redhat.com/browse/RHIDP-2796[RHIDP-2796] [id="enhancement-rhidp-2818"] == Authenticating with Microsoft Azure -The Microsoft Azure Authentication provider is now enterprise ready. -To enable this, enhancements and bug fixes were made to improve the authentication and entity ingestion process. +The Microsoft Azure Authentication provider is now enterprise ready. +To enable this, enhancements and bug fixes were made to improve the authentication and entity ingestion process. Note, the existence of user entity in the catalog is now enforced. [id="feature-rhidp-2865"] == Deploying on OpenShift Dedicated on Google Cloud Provider (GCP) -Before this update, there was no automated process to deploy {product-short} on OpenShift Dedicated (OSD) on Google Cloud Platform (GCP). - -With this update, you can link:https://docs.redhat.com/en/documentation/red_hat_developer_hub/1.3/html-single/installing_red_hat_developer_hub_on_openshift_dedicated_on_google_cloud_platform/index[install {product} on OpenShift Dedicated (OSD) on Google Cloud Platform (GCP)] by using either Red Hat Developer Hub Operator or Red Hat Developer Hub Helm Chart. +Before this update, there was no automated process to deploy {product-short} on OpenShift Dedicated (OSD) on Google Cloud Platform (GCP). + +With this update, you can link:https://docs.redhat.com/en/documentation/red_hat_developer_hub/1.3/html-single/installing_red_hat_developer_hub_on_openshift_dedicated_on_google_cloud_platform/index[install {product} on OpenShift Dedicated (OSD) on Google Cloud Platform (GCP)] by using either Red Hat Developer Hub Operator or Red Hat Developer Hub Helm Chart. [id="feature-rhidp-2888"] @@ -109,16 +109,16 @@ With this update, you can visualize the Virtual Machine nodes deployed on the cl [id="feature-rhidp-2907"] == Customizing the Home page -With this update, you can customize the Home page in {product} by passing the data into the `app-config.yaml` file as a proxy. It is now possible to add, reorganize, and remove cards, including the search bar, quick access, headline, markdown, placeholder, catalog starred entities and featured docs that appear based on the plugins you have installed and enabled. +With this update, you can customize the Home page in {product} by passing the data into the `app-config.yaml` file as a proxy. It is now possible to add, reorganize, and remove cards, including the search bar, quick access, headline, markdown, placeholder, catalog starred entities and featured docs that appear based on the plugins you have installed and enabled. [id="enhancement-rhidp-3064"] == Customizing the main navigation sidebar -This update introduces a configurable and customizable main navigation sidebar in {product-short}, offering administrators greater control over the navigation structure. Previously, the sidebar was hard-coded with limited flexibility, and dynamic plugins could only contribute menu items without control over their order or structure. - -With this feature, administrators can now configure the order of navigation items, create nested sub-navigation, and provide users with a more organized and intuitive interface. This enhancement improves user experience and efficiency by allowing a more tailored navigation setup. - +This update introduces a configurable and customizable main navigation sidebar in {product-short}, offering administrators greater control over the navigation structure. Previously, the sidebar was hard-coded with limited flexibility, and dynamic plugins could only contribute menu items without control over their order or structure. + +With this feature, administrators can now configure the order of navigation items, create nested sub-navigation, and provide users with a more organized and intuitive interface. This enhancement improves user experience and efficiency by allowing a more tailored navigation setup. + Backward compatibility is maintained, ensuring existing dynamic plugin menu item contributions remain functional. A default configuration is provided, along with example configurations, including one with an external dynamic plugin. Documentation has been updated to guide developers on customizing the navigation. [id="enhancement-rhidp-3125"] @@ -129,65 +129,65 @@ With this update, the `@backstage/plugin-catalog-backend-module-logs` plugin has [id="feature-rhidp-3177"] == Configuring conditional policies by using external files -With this release, you can configure conditional policies in {product-short} using external files. -Additionally, {product-short} supports conditional policy aliases, which are dynamically substituted with the appropriate values during policy evaluation. - +With this release, you can configure conditional policies in {product-short} using external files. +Additionally, {product-short} supports conditional policy aliases, which are dynamically substituted with the appropriate values during policy evaluation. + For more information, see link:{authorization-book-url}#con-rbac-conditional-policies-rhdh_title-authorization[Configuring conditional policies]. [id="feature-rhidp-3569"] == Restarting {product} faster -Before this update, it took a long time for {product-short} to restart because {product-short} bootstraps all dynamic plugins from zero with every restart. - -With this update, {product-short} is using persisted volumes for the dynamic plugins. +Before this update, it took a long time for {product-short} to restart because {product-short} bootstraps all dynamic plugins from zero with every restart. + +With this update, {product-short} is using persisted volumes for the dynamic plugins. Therefore, {product-short} restarts faster. [id="feature-rhidp-3666"] == Monitoring active users on Developer Hub -With this update, you can monitor active users on Developer Hub using the `licensed-users-info-backend` plugin. This plugin provides statistical data on logged-in users through the Web UI or REST API endpoints. - +With this update, you can monitor active users on Developer Hub using the `licensed-users-info-backend` plugin. This plugin provides statistical data on logged-in users through the Web UI or REST API endpoints. + For more information, see link:{authorization-book-url}[{authorization-book-title}]. [id="enhancement-rhidp-3826"] == Loading a custom Backstage theme from a dynamic plugin -With this update, you can load a custom Backstage theme from a dynamic plugin. - -.Procedure - -. Export a theme provider function in the dynamic plugin, such as: -+ -[source,javascript] ----- -import { lightTheme } from './lightTheme'; // some custom theme -import { UnifiedThemeProvider } from '@backstage/theme'; -export const lightThemeProvider = ({ children }: { children: ReactNode }) => ( - <UnifiedThemeProvider theme={lightTheme} children={children} /> -); ----- - -. Configure {product-short} to load the them in the UI by using the new `themes` configuration field: -+ -[source,yaml] ----- -dynamicPlugins: - frontend: - example.my-custom-theme-plugin: - themes: - - id: light # <1> - title: Light - variant: light - icon: someIconReference - importName: lightThemeProvider ----- -<1> Set your theme id. Optionally, override the default Developer Hub themes specifying following id value: `light` overrides the default light theme and `dark` overrides the default dark theme. - -.Verification - -* The theme is available in the "Settings" page. - - +With this update, you can load a custom Backstage theme from a dynamic plugin. + +.Procedure + +. Export a theme provider function in the dynamic plugin, such as: ++ +[source,javascript] +---- +import { lightTheme } from './lightTheme'; // some custom theme +import { UnifiedThemeProvider } from '@backstage/theme'; +export const lightThemeProvider = ({ children }: { children: ReactNode }) => ( + <UnifiedThemeProvider theme={lightTheme} children={children} /> +); +---- + +. Configure {product-short} to load the them in the UI by using the new `themes` configuration field: ++ +[source,yaml] +---- +dynamicPlugins: + frontend: + example.my-custom-theme-plugin: + themes: + - id: light # <1> + title: Light + variant: light + icon: someIconReference + importName: lightThemeProvider +---- +<1> Set your theme id. Optionally, override the default Developer Hub themes specifying following id value: `light` overrides the default light theme and `dark` overrides the default dark theme. + +.Verification + +* The theme is available in the "Settings" page. + + This update also introduced the ability to override core API service factories from a dynamic plugin, which can be helpful for more specialized use cases such as providing a custom ScmAuth configuration for the {product-short} frontend. diff --git a/modules/release-notes/ref-release-notes-technology-preview.adoc b/modules/release-notes/ref-release-notes-technology-preview.adoc index 4548fd1b23..7c297a31a7 100644 --- a/modules/release-notes/ref-release-notes-technology-preview.adoc +++ b/modules/release-notes/ref-release-notes-technology-preview.adoc @@ -15,9 +15,9 @@ See: link:https://access.redhat.com/support/offerings/techpreview/[Technology Pr [id="technology-preview-rhidp-1397"] == Registering existing entities from multiple Git repositories simultaneously -With this update, you can register entities from multiple repositories simultaneously, without the need to register them individually. - -For repositories without a `catalog-entity.yaml` file, the plugin creates a pull request. +With this update, you can register entities from multiple repositories simultaneously, without the need to register them individually. + +For repositories without a `catalog-entity.yaml` file, the plugin creates a pull request. Once the pull request is merged, {product-short} registers the entity in the software catalog. @@ -27,7 +27,7 @@ Once the pull request is merged, {product-short} registers the entity in the sof [id="technology-preview-rhidp-3713"] == Added the catalog backend module logs plugin -With this update, {product-short} includes the `@backstage/plugin-catalog-backend-module-logs` plugin as a dynamic plugin to help surface catalog errors into the logs. +With this update, {product-short} includes the `@backstage/plugin-catalog-backend-module-logs` plugin as a dynamic plugin to help surface catalog errors into the logs. This dynamic plugin is disabled by default. From b9365095a7c8c378e61fdbf91b9db1acfac8facc Mon Sep 17 00:00:00 2001 From: Nick Boldt Date: Tue, 14 Jan 2025 14:37:36 -0500 Subject: [PATCH 3/4] generate node/go CVE list Signed-off-by: Nick Boldt --- ...fixed-security-issues-in-product-1.3.4.txt | 24 +++++++------------ ...ist-fixed-security-issues-in-rpm-1.3.4.txt | 16 +++++++++++++ ...ixed-security-issues-in-product-1.3.4.adoc | 9 +++++++ 3 files changed, 33 insertions(+), 16 deletions(-) diff --git a/modules/release-notes/list-fixed-security-issues-in-product-1.3.4.txt b/modules/release-notes/list-fixed-security-issues-in-product-1.3.4.txt index d1e72dc52e..142a13f18c 100644 --- a/modules/release-notes/list-fixed-security-issues-in-product-1.3.4.txt +++ b/modules/release-notes/list-fixed-security-issues-in-product-1.3.4.txt @@ -1,16 +1,8 @@ -# TODO verify these are fixed in the latest rhdh-hub / operator containers - -# https://errata.engineering.redhat.com/advisory/144019 -# CVE-2024-46713, kernel: perf/aux: Fix AUX buffer serialization -# CVE-2024-50208, kernel: RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages -# CVE-2024-50252, kernel: mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address -# CVE-2024-53122, kernel: mptcp: cope racing subflow creation in mptcp_rcv_space_adjust - -# https://errata.engineering.redhat.com/advisory/139648 -# CVE-2024-34156, encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion - -# https://errata.engineering.redhat.com/advisory/143859 -# CVE-2024-9287, python 3.11: Virtual environment (venv) activation scripts don't quote paths - -# https://errata.engineering.redhat.com/advisory/143848 -# CVE-2024-11168, python 3.9: Improper validation of IPv6 and IPvFuture addresses +# done in 1.3.4 +CVE-2024-56201, rhdh-hub-rhel9: Jinja has a sandbox breakout through malicious filenames +CVE-2024-56326, rhdh-hub-rhel9: Jinja has a sandbox breakout through indirect reference to format method +CVE-2024-55565, rhdh-hub-rhel9: nanoid mishandles non-integer values + +# to be done +# CVE-2024-45338, rhdh-rhel9-operator: Non-linear parsing of case-insensitive content in golang.org/x/net/html +# CVE-2024-52798, rhdh-hub-rhel9: path-to-regexp Unpatched `path-to-regexp` ReDoS in 0.1.x diff --git a/modules/release-notes/list-fixed-security-issues-in-rpm-1.3.4.txt b/modules/release-notes/list-fixed-security-issues-in-rpm-1.3.4.txt index e69de29bb2..d1e72dc52e 100644 --- a/modules/release-notes/list-fixed-security-issues-in-rpm-1.3.4.txt +++ b/modules/release-notes/list-fixed-security-issues-in-rpm-1.3.4.txt @@ -0,0 +1,16 @@ +# TODO verify these are fixed in the latest rhdh-hub / operator containers + +# https://errata.engineering.redhat.com/advisory/144019 +# CVE-2024-46713, kernel: perf/aux: Fix AUX buffer serialization +# CVE-2024-50208, kernel: RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages +# CVE-2024-50252, kernel: mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address +# CVE-2024-53122, kernel: mptcp: cope racing subflow creation in mptcp_rcv_space_adjust + +# https://errata.engineering.redhat.com/advisory/139648 +# CVE-2024-34156, encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion + +# https://errata.engineering.redhat.com/advisory/143859 +# CVE-2024-9287, python 3.11: Virtual environment (venv) activation scripts don't quote paths + +# https://errata.engineering.redhat.com/advisory/143848 +# CVE-2024-11168, python 3.9: Improper validation of IPv6 and IPvFuture addresses diff --git a/modules/release-notes/snip-fixed-security-issues-in-product-1.3.4.adoc b/modules/release-notes/snip-fixed-security-issues-in-product-1.3.4.adoc index 065df0a0fa..27d9fe551c 100644 --- a/modules/release-notes/snip-fixed-security-issues-in-product-1.3.4.adoc +++ b/modules/release-notes/snip-fixed-security-issues-in-product-1.3.4.adoc @@ -1 +1,10 @@ = {product} dependency updates + +link:https://access.redhat.com/security/cve/CVE-2024-55565[CVE-2024-55565]:: +nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version. + +link:https://access.redhat.com/security/cve/CVE-2024-56201[CVE-2024-56201]:: +A flaw was found in the Jinja2 package. A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of Jinja's sandbox being used. An attacker needs to be able to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications that execute untrusted templates where the template author can also choose the template filename. + +link:https://access.redhat.com/security/cve/CVE-2024-56326[CVE-2024-56326]:: +A flaw was found in the Jinja package. In affected versions of Jinja, an oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications that execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, storing a reference to a malicious string's format method is possible, then passing that to a filter that calls it. No such filters are built into Jinja but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox. From 491b2d5ec324dd1c1e958b1a82cb2a9f9a842bbb Mon Sep 17 00:00:00 2001 From: Nick Boldt Date: Tue, 14 Jan 2025 14:52:01 -0500 Subject: [PATCH 4/4] formatting tweaks + enable one of the 4 RPM CVEs until the other 3 are ready Signed-off-by: Nick Boldt --- ...ist-fixed-security-issues-in-rpm-1.3.4.txt | 12 +-- .../ref-release-notes-breaking-changes.adoc | 88 +++++++++---------- ...ease-notes-deprecated-functionalities.adoc | 2 +- .../ref-release-notes-fixed-issues.adoc | 48 +++++----- .../ref-release-notes-known-issues.adoc | 10 +-- .../ref-release-notes-new-features.adoc | 20 ----- .../ref-release-notes-technology-preview.adoc | 4 +- ...e-source-release-notes-template.adoc.jinja | 10 +-- ...ip-fixed-security-issues-in-rpm-1.3.4.adoc | 3 + 9 files changed, 89 insertions(+), 108 deletions(-) diff --git a/modules/release-notes/list-fixed-security-issues-in-rpm-1.3.4.txt b/modules/release-notes/list-fixed-security-issues-in-rpm-1.3.4.txt index d1e72dc52e..52a572980c 100644 --- a/modules/release-notes/list-fixed-security-issues-in-rpm-1.3.4.txt +++ b/modules/release-notes/list-fixed-security-issues-in-rpm-1.3.4.txt @@ -1,16 +1,16 @@ +# https://errata.engineering.redhat.com/advisory/143859 +CVE-2024-9287, python 3.11: Virtual environment (venv) activation scripts don't quote paths + # TODO verify these are fixed in the latest rhdh-hub / operator containers -# https://errata.engineering.redhat.com/advisory/144019 +# https://errata.engineering.redhat.com/advisory/144019, kernel-5.14.0-503.21.1.el9_5 # CVE-2024-46713, kernel: perf/aux: Fix AUX buffer serialization # CVE-2024-50208, kernel: RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages # CVE-2024-50252, kernel: mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address # CVE-2024-53122, kernel: mptcp: cope racing subflow creation in mptcp_rcv_space_adjust -# https://errata.engineering.redhat.com/advisory/139648 +# https://errata.engineering.redhat.com/advisory/139648, skopeo-1.16.1-2.el9_5 # CVE-2024-34156, encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion -# https://errata.engineering.redhat.com/advisory/143859 -# CVE-2024-9287, python 3.11: Virtual environment (venv) activation scripts don't quote paths - -# https://errata.engineering.redhat.com/advisory/143848 +# https://errata.engineering.redhat.com/advisory/143848, python3.9-3.9.21-1.el9_5 # CVE-2024-11168, python 3.9: Improper validation of IPv6 and IPvFuture addresses diff --git a/modules/release-notes/ref-release-notes-breaking-changes.adoc b/modules/release-notes/ref-release-notes-breaking-changes.adoc index c7987c3bd9..c68189b546 100644 --- a/modules/release-notes/ref-release-notes-breaking-changes.adoc +++ b/modules/release-notes/ref-release-notes-breaking-changes.adoc @@ -1,37 +1,37 @@ -:_content-type: REFERENCE -[id="breaking-changes"] -= Breaking changes - -This section lists breaking changes in {product} {product-version}. - -[id="removed-functionality-rhidp-3048"] -== The 'dynamic-plugins' config map is named dynamically - +:_content-type: REFERENCE +[id="breaking-changes"] += Breaking changes + +This section lists breaking changes in {product} {product-version}. + +[id="removed-functionality-rhidp-3048"] +== The 'dynamic-plugins' config map is named dynamically + Before this update, the dynamic-plugins config map name was hardcoded. Therefore, it was not possible to install two {product} helm charts in the same namespace. With this update, the dynamic-plugins config map is named dynamically based on the deployment name similar to how all other components names are generated. -When upgrading from a previous chart you might need to manually update that section of your `values.yaml` file to pull in the correct config map. - - -.Additional resources -* link:https://issues.redhat.com/browse/RHIDP-3048[RHIDP-3048] - -[id="removed-functionality-rhidp-3074"] -== Signing in without user in the software catalog is now disabled by default - +When upgrading from a previous chart you might need to manually update that section of your `values.yaml` file to pull in the correct config map. + +.Additional resources + +* link:https://issues.redhat.com/browse/RHIDP-3048[RHIDP-3048] + +[id="removed-functionality-rhidp-3074"] +== Signing in without user in the software catalog is now disabled by default + By default, it is now required for the user entity to exist in the software catalog to allow sign in. This is required for production ready deployments since identities need to exist and originate from a trusted source (i.e. the Identity Provider) in order for security controls such as RBAC and Audit logging to be effective. To bypass this, enable the `dangerouslySignInWithoutUserInCatalog` configuration that allows sign in without the user being in the catalog. -Enabling this option is dangerous as it might allow unauthorized users to gain access. - - -.Additional resources -* link:https://issues.redhat.com/browse/RHIDP-3074[RHIDP-3074] - -[id="removed-functionality-rhidp-3187"] -== {company-name} and Community Technology Preview (TP) plugins and actions are disabled by default - +Enabling this option is dangerous as it might allow unauthorized users to gain access. + +.Additional resources + +* link:https://issues.redhat.com/browse/RHIDP-3074[RHIDP-3074] + +[id="removed-functionality-rhidp-3187"] +== {company-name} and Community Technology Preview (TP) plugins and actions are disabled by default + Before this update, some {company-name} and Community Technology Preview (TP) plugins and actions were enabled by default: .Technology Preview plugins @@ -52,15 +52,15 @@ With this update, all plugins included under the link:https://access.redhat.com/ .Procedure * If your workload requires these plugins, enable them in your custom resource or configmap using `disabled: false`. -//See https://github.com/redhat-developer/red-hat-developer-hub/blob/main/dynamic-plugins.default.yaml for examples. - - -.Additional resources -* link:https://issues.redhat.com/browse/RHIDP-3187[RHIDP-3187] - -[id="removed-functionality-rhidp-4293"] -== Plugins with updated scope - +//See https://github.com/redhat-developer/red-hat-developer-hub/blob/main/dynamic-plugins.default.yaml for examples. + +.Additional resources + +* link:https://issues.redhat.com/browse/RHIDP-3187[RHIDP-3187] + +[id="removed-functionality-rhidp-4293"] +== Plugins with updated scope + With this update, three plugins previously under the `@janus-idp` scope have moved to `@backstage-community`: [%header,cols=2*] @@ -90,11 +90,11 @@ As the scope of the previous plugins has been updated, the dynamic plugin config .Procedure * If your workload requires plugins with an updated scope, revise your configuration to use the latest plugins from the new scope. -//See https://github.com/redhat-developer/rhdh/blob/main/dynamic-plugins.default.yaml for examples. - - -.Additional resources -* link:https://issues.redhat.com/browse/RHIDP-4293[RHIDP-4293] - - - +//See https://github.com/redhat-developer/rhdh/blob/main/dynamic-plugins.default.yaml for examples. + +.Additional resources + +* link:https://issues.redhat.com/browse/RHIDP-4293[RHIDP-4293] + + + diff --git a/modules/release-notes/ref-release-notes-deprecated-functionalities.adoc b/modules/release-notes/ref-release-notes-deprecated-functionalities.adoc index 41b8fd29d5..6a615958dc 100644 --- a/modules/release-notes/ref-release-notes-deprecated-functionalities.adoc +++ b/modules/release-notes/ref-release-notes-deprecated-functionalities.adoc @@ -55,8 +55,8 @@ spec: // https://github.com/redhat-developer/rhdh-operator/blob/main/docs/configuration.md#deployment-parameters - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-1138[RHIDP-1138] diff --git a/modules/release-notes/ref-release-notes-fixed-issues.adoc b/modules/release-notes/ref-release-notes-fixed-issues.adoc index 4c25cf5fec..9a5b9b33e5 100644 --- a/modules/release-notes/ref-release-notes-fixed-issues.adoc +++ b/modules/release-notes/ref-release-notes-fixed-issues.adoc @@ -13,8 +13,8 @@ Before this update, configuring the `useRedisSets: false` option resulted in the With this update, you can now opt out of using Redis sets. It is recommended to clear your cache in order to remove any invalid keys. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-5180[RHIDP-5180] == Fixed issues in 1.3.2 @@ -27,8 +27,8 @@ Previously, the feature to report a documentation (techdoc) issue didn't wor With this update, the user can select content in the documentation, and click the tooltip button to report a documentation issue. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-5121[RHIDP-5121] == Fixed issues in 1.3.1 @@ -40,8 +40,8 @@ Before this update, a conditional alias that uses `$ownerRefs` did not work. With this update, a conditional alias can use `$ownerRefs`. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-4069[RHIDP-4069] == Fixed issues in 1.3 @@ -51,8 +51,8 @@ With this update, a conditional alias can use `$ownerRefs`. With this update, the {product} Helm Chart does not contain a pull secret that is no longer needed. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-1334[RHIDP-1334] @@ -64,8 +64,8 @@ Therefore, {product-short} denied the request with an error. With this update, {product-short} denies the request without throwing an error. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-2139[RHIDP-2139] @@ -78,8 +78,8 @@ Also, {product-short} might have shown an error when opening the user entity in With this update, {product-short} can handle a user member of a high number of groups (more than 150) with aggregated relations. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-2412[RHIDP-2412] @@ -90,8 +90,8 @@ Before this update, when the OCM plugin is installed, navigating to non-OCM page With this update, {product-short} restricts OCM API calls to OCM-related pages. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-2438[RHIDP-2438] @@ -104,8 +104,8 @@ Therefore, a user authentication with Microsoft Azure could not open a session i With this update, {product-short} resolves user entities with Azure authentication provider to entities ingested by the MsGraph catalog provider. Therefore, a user authentication with Microsoft Azure can open a session in {product-short}. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-2529[RHIDP-2529] @@ -117,8 +117,8 @@ Before this update, in a {product-short} deployment with the default configurati With this update, the default `upstream.backstage.appConfig` configuration uses the `backend.auth.externalAccess` field rather than the deprecated `backend.auth.keys` field. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-2716[RHIDP-2716] @@ -127,8 +127,8 @@ With this update, the default `upstream.backstage.appConfig` configuration uses With this update, {product-short} does not include user IP addresses in the application logs. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-2728[RHIDP-2728] @@ -141,8 +141,8 @@ Therefore, {product-short} might have not displayed all pull requests. With this update, {product-short} limits paging to max 1000 results to respect GitHub search API restrictions. {product-short} show users when additional results are available, suggesting in a tooltip that they can refine their query to retrieve more specific results. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-3159[RHIDP-3159] @@ -154,8 +154,8 @@ The situation ended with a dead lock. With this update, {product-short} handles simultaneous pod refreshing without a dead lock. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-3217[RHIDP-3217] @@ -168,8 +168,8 @@ Therefore subsequent Helm deployments of the RHDH Helm Chart version 1.2.1 faile With this update, the Helm Chart creates and uses a dynamic-plugins-npmrc secret that is named in line with the other resources managed by the Helm Chart: `_<release-name>_-dynamic-plugins-npmrc`. As a result, the Helm Chart does not fail on the previous error. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-3260[RHIDP-3260] @@ -180,8 +180,8 @@ Before this update, {product-short} stopped displaying some metrics such as cata With this update, {product-short} displays expected metrics in the /metrics endpoint. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-3458[RHIDP-3458] @@ -208,8 +208,8 @@ ClassNameGenerator.configure(componentName => { This update requires using a version of the @janus-idp/cli package > 1.13.1. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-3471[RHIDP-3471] @@ -233,8 +233,8 @@ With this udpate, {product-short} validates more strictly role and namespace nam - Strings of length at least 1, and at most 63. - Must be sequences of `[a-zA-Z0-9]`, possibly separated by `-`. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-3580[RHIDP-3580] @@ -245,8 +245,8 @@ Before this update, conditional policies and policies loaded from files remained With this update, conditional policies and policies loaded from files are removed after the corresponding policy files are removed from the configuration. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-3601[RHIDP-3601] @@ -257,8 +257,8 @@ Before this update, the timestamp in the `catalog-info.yaml` created by the `cat With this update, a unique timestamp is generated on each execution of the template. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-3612[RHIDP-3612] @@ -270,8 +270,8 @@ Before this update, when a user displayed the virtual machine details in the sid With this update, the missing icons have been added. Therefore, when a user displays the virtual machine details in the sidebar, an icon shows the virtual machine status. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-3735[RHIDP-3735] @@ -282,8 +282,8 @@ Before this update, authentication with Github failed when the `dangerouslyAllow With this update, when the `dangerouslyAllowSignInWithoutUserInCatalog` field is set to true, you can authenticate to {product-short} with a user absent from the software catalog. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-3896[RHIDP-3896] @@ -295,8 +295,8 @@ Before this update, when the {product-short} image was configured in both the cu With this update, the custom resource configuration takes precedence and is applied. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-4013[RHIDP-4013] @@ -309,8 +309,8 @@ Therefore, the {product-short} administrator was not able to select required use With this update, the dropdown displays initially up to 100 users or groups shown and updates the display once the user starts to search. The search happens across the whole data-set and displays the first 100 results. The user must refine their search to narrow the results to a list containing the desired user or group. Therefore, even with larger numbers or users/groups, the {product-short} administrator can add required users or groups to the role. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-4046[RHIDP-4046] @@ -323,8 +323,8 @@ Therefore the ArgoCD plugin failed to load. With this update, the ArgoCD plugin is bundled with dynamic frontend plugin assets. Therefore the ArgoCD plugin can load properly. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-4200[RHIDP-4200] == Fixed issues in 1.2.2 @@ -336,8 +336,8 @@ Before this update, the RBAC administration user interface *Permission Policies* With this update, the RBAC administration user interface *Permission Policies* table displays the plugin name. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-2374[RHIDP-2374] diff --git a/modules/release-notes/ref-release-notes-known-issues.adoc b/modules/release-notes/ref-release-notes-known-issues.adoc index 8d2c698773..34ca618cfc 100644 --- a/modules/release-notes/ref-release-notes-known-issues.adoc +++ b/modules/release-notes/ref-release-notes-known-issues.adoc @@ -13,8 +13,8 @@ A possible workaround for the upgrade is to manually scale down the number of re You can also leverage a Pod Affinity rule to force the cluster scheduler to run your {product-short} pods on the same node. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-5342[RHIDP-5342] [id="known-issue-rhidp-5284"] @@ -22,8 +22,8 @@ You can also leverage a Pod Affinity rule to force the cluster scheduler to run Repositories might be added to Developer Hub from various sources (like statically in an app-config file or dynamically when enabling GitHub discovery). By design, the bulk import plugin will only track repositories that are accessible from the configured GitHub integrations. When both the Bulk Import and the GitHub Discovery plugins are enabled, the repositories the latter discovers might be listed in the Bulk Import pages. However, attempting to delete a repository added by the discovery plugin from the Bulk Import Jobs may have no effect, as any entities registered from this repository might still be present in the Developer Hub catalog. There is unfortunately no known workaround yet. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-5284[RHIDP-5284] [id="known-issue-rhidp-4695"] @@ -33,8 +33,8 @@ When using {rhsso-brand-name} or {rhbk-brand-name} as an OIDC provider, it shoul - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-4695[RHIDP-4695] [id="known-issue-rhidp-4067"] @@ -42,8 +42,8 @@ When using {rhsso-brand-name} or {rhbk-brand-name} as an OIDC provider, it shoul Only the first 20 repositories (in alphabetical order) can be displayed at most on the Bulk Import Added Repositories page. Also, the count of Added Repositories displayed might be wrong. In future releases, we plan to address this with proper pagination. Meanwhile, as a workaround, searching would still work against all Added Repositories. So you can still search any Added Repository and get it listed on the table. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-4067[RHIDP-4067] [id="known-issue-rhidp-3396"] @@ -51,8 +51,8 @@ Only the first 20 repositories (in alphabetical order) can be displayed at most Permissions associated only with front-end plugins do not appear in the UI because they require a backend plugin to expose the permission framework's well-known endpoint. As a workaround, you can apply these permissions by using a CSV file or directly calling the REST API of the RBAC backend plugin. Affected plugins include Topology (`topology.view.read`), Tekton (`tekton.view.read`), ArgoCD (`argocd.view.read`), and Quay (`quay.view.read`). - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-3396[RHIDP-3396] diff --git a/modules/release-notes/ref-release-notes-new-features.adoc b/modules/release-notes/ref-release-notes-new-features.adoc index 290e966028..1dbcb42bba 100644 --- a/modules/release-notes/ref-release-notes-new-features.adoc +++ b/modules/release-notes/ref-release-notes-new-features.adoc @@ -11,12 +11,10 @@ With this update, when deploying {product} by using the operator, you can config The {product-short} Operator Custom Resource Definition (CRD) API Version has been updated to `rhdh.redhat.com/v1alpha2`. This CRD exposes a generic `spec.deployment.patch` field, which allows you to patch the {product-short} Deployment resource. - [id="feature-rhidp-2341"] == Using nested conditions in RBAC conditional policies With this update, as a {product-short} administrator, you can create and edit nested conditions in RBAC conditional policies by using the {product-short} web UI. - [id="enhancement-rhidp-2615"] == Persisting the audit log @@ -28,12 +26,10 @@ With this update, you can persist the audit log: * When using the Helm chart, {product-short} writes logs to persistent volumes. - [id="feature-rhidp-2643"] == Allow Dynamic Configuration of Keycloak User/Group Transformers With this update, you can provide transformer functions for users and groups to mutate entity parameters from Keycloak before their ingestion into the catalog. This can be done by creating a new backend module and using the added keycloakTransformerExtensionPoint. - [id="feature-rhidp-2644"] == Expose extension points for the keycloak-backend plugin @@ -42,17 +38,14 @@ With this update, you can provide transformer functions for user/group to mutate .Procedure . Create a backend module. . Provide the custom transformers to the `keycloakTransformerExtensionPoint` extension point exported by the package. - [id="enhancement-rhidp-2695"] == All public endpoints in core and plugins have OpenAPI specs With this update, OpenAPI Specs are available for all components, including the rbac-backend plugin. - [id="enhancement-rhidp-2723"] == RBAC Backend plugin module support With this update, {product-short} can load roles and permissions into the RBAC Backend plugin through the use of extension points with the help of a plugin module. - [id="enhancement-rhidp-2736"] == Force catalog ingestion for production users @@ -60,7 +53,6 @@ By default, it is now required for the user entity to exist in the software cata This is required for production ready deployments since identities need to exist and originate from a trusted source (i.e. the Identity Provider) in order for security controls such as RBAC and Audit logging to be effective. To bypass this, enable the `dangerouslySignInWithoutUserInCatalog` configuration that allows sign in without the user being in the catalog. Enabling this option is dangerous as it might allow unauthorized users to gain access. - [id="enhancement-rhidp-2768"] == RBAC UI enhancements @@ -69,7 +61,6 @@ With this update, the RBAC UI has been improved: * The **Create role** form and the **Role** overview page display the total number of conditional rules configured. * The **Role** list page displays accessible plugins. - [id="enhancement-rhidp-2790"] == Updated Backstage version @@ -85,14 +76,12 @@ With this update, Backstage was updated to version {product-backstage-version}. * link:https://issues.redhat.com/browse/RHIDP-2794[RHIDP-2794] * link:https://issues.redhat.com/browse/RHIDP-2847[RHIDP-2847] * link:https://issues.redhat.com/browse/RHIDP-2796[RHIDP-2796] - [id="enhancement-rhidp-2818"] == Authenticating with Microsoft Azure The Microsoft Azure Authentication provider is now enterprise ready. To enable this, enhancements and bug fixes were made to improve the authentication and entity ingestion process. Note, the existence of user entity in the catalog is now enforced. - [id="feature-rhidp-2865"] == Deploying on OpenShift Dedicated on Google Cloud Provider (GCP) @@ -100,18 +89,15 @@ Before this update, there was no automated process to deploy {product-short} on With this update, you can link:https://docs.redhat.com/en/documentation/red_hat_developer_hub/1.3/html-single/installing_red_hat_developer_hub_on_openshift_dedicated_on_google_cloud_platform/index[install {product} on OpenShift Dedicated (OSD) on Google Cloud Platform (GCP)] by using either Red Hat Developer Hub Operator or Red Hat Developer Hub Helm Chart. - [id="feature-rhidp-2888"] == Visualize Virtual Machine nodes on the Topology plugin With this update, you can visualize the Virtual Machine nodes deployed on the cluster through the Topology plugin. - [id="feature-rhidp-2907"] == Customizing the Home page With this update, you can customize the Home page in {product} by passing the data into the `app-config.yaml` file as a proxy. It is now possible to add, reorganize, and remove cards, including the search bar, quick access, headline, markdown, placeholder, catalog starred entities and featured docs that appear based on the plugins you have installed and enabled. - [id="enhancement-rhidp-3064"] == Customizing the main navigation sidebar @@ -120,12 +106,10 @@ This update introduces a configurable and customizable main navigation sidebar i With this feature, administrators can now configure the order of navigation items, create nested sub-navigation, and provide users with a more organized and intuitive interface. This enhancement improves user experience and efficiency by allowing a more tailored navigation setup. Backward compatibility is maintained, ensuring existing dynamic plugin menu item contributions remain functional. A default configuration is provided, along with example configurations, including one with an external dynamic plugin. Documentation has been updated to guide developers on customizing the navigation. - [id="enhancement-rhidp-3125"] == Surfacing Catalog Processing Errors to Users With this update, the `@backstage/plugin-catalog-backend-module-logs` plugin has been made available as a dynamic plugin to help surface catalog errors into the logs. This dynamic plugin is disabled by default. - [id="feature-rhidp-3177"] == Configuring conditional policies by using external files @@ -133,7 +117,6 @@ With this release, you can configure conditional policies in {product-short} usi Additionally, {product-short} supports conditional policy aliases, which are dynamically substituted with the appropriate values during policy evaluation. For more information, see link:{authorization-book-url}#con-rbac-conditional-policies-rhdh_title-authorization[Configuring conditional policies]. - [id="feature-rhidp-3569"] == Restarting {product} faster @@ -141,14 +124,12 @@ Before this update, it took a long time for {product-short} to restart because { With this update, {product-short} is using persisted volumes for the dynamic plugins. Therefore, {product-short} restarts faster. - [id="feature-rhidp-3666"] == Monitoring active users on Developer Hub With this update, you can monitor active users on Developer Hub using the `licensed-users-info-backend` plugin. This plugin provides statistical data on logged-in users through the Web UI or REST API endpoints. For more information, see link:{authorization-book-url}[{authorization-book-title}]. - [id="enhancement-rhidp-3826"] == Loading a custom Backstage theme from a dynamic plugin @@ -191,4 +172,3 @@ dynamicPlugins: This update also introduced the ability to override core API service factories from a dynamic plugin, which can be helpful for more specialized use cases such as providing a custom ScmAuth configuration for the {product-short} frontend. - diff --git a/modules/release-notes/ref-release-notes-technology-preview.adoc b/modules/release-notes/ref-release-notes-technology-preview.adoc index 7c297a31a7..99888a9dbb 100644 --- a/modules/release-notes/ref-release-notes-technology-preview.adoc +++ b/modules/release-notes/ref-release-notes-technology-preview.adoc @@ -20,8 +20,8 @@ With this update, you can register entities from multiple repositories simultane For repositories without a `catalog-entity.yaml` file, the plugin creates a pull request. Once the pull request is merged, {product-short} registers the entity in the software catalog. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-1397[RHIDP-1397] [id="technology-preview-rhidp-3713"] @@ -30,8 +30,8 @@ Once the pull request is merged, {product-short} registers the entity in the sof With this update, {product-short} includes the `@backstage/plugin-catalog-backend-module-logs` plugin as a dynamic plugin to help surface catalog errors into the logs. This dynamic plugin is disabled by default. - .Additional resources + * link:https://issues.redhat.com/browse/RHIDP-3713[RHIDP-3713] diff --git a/modules/release-notes/single-source-release-notes-template.adoc.jinja b/modules/release-notes/single-source-release-notes-template.adoc.jinja index df688e75f1..143cd5a479 100644 --- a/modules/release-notes/single-source-release-notes-template.adoc.jinja +++ b/modules/release-notes/single-source-release-notes-template.adoc.jinja @@ -17,11 +17,9 @@ {% endif %} {{ issue.fields.customfield_12317313 }} {% if template == "with-jira-link" or template == "with-z-stream-section" %} - .Additional resources + * link:https://issues.redhat.com/browse/{{ issue.key }}[{{ issue.key }}] -{% endif %} -{% endfor %} -{% if not vars -%} -None. -{% endif -%} + +{% endif %}{% endfor %} +{% if not vars -%}None.{% endif -%} diff --git a/modules/release-notes/snip-fixed-security-issues-in-rpm-1.3.4.adoc b/modules/release-notes/snip-fixed-security-issues-in-rpm-1.3.4.adoc index e4930e95c6..7da81e9b64 100644 --- a/modules/release-notes/snip-fixed-security-issues-in-rpm-1.3.4.adoc +++ b/modules/release-notes/snip-fixed-security-issues-in-rpm-1.3.4.adoc @@ -1 +1,4 @@ = RHEL 9 platform RPM updates + +link:https://access.redhat.com/security/cve/CVE-2024-9287[CVE-2024-9287]:: +A vulnerability has been found in the Python `venv` module and CLI. Path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts, for example, "source venv/bin/activate". This flaw allows attacker-controlled virtual environments to run commands when the virtual environment is activated.