[chore] Updating orchestrator npm packages to OCI artifacts

[OpinionatedHeron]

Description of the change

Updating orchestrator npm packages to the relevant OCI Artifacts to reflect updates to RHDH.

npm packages were causing the scaffolder plugin to throw an error during startup

Which issue(s) does this PR fix or relate to

RHDHBUGS-2527

How to test changes / Special notes to the reviewer

Deploy Helm-based instance of RHDH with the orchestrator plugins enabled.

Checklist

• For each Chart updated, version bumped in the corresponding Chart.yaml according to Semantic Versioning.
• For each Chart updated, variables are documented in the values.yaml and added to the corresponding README.md. The pre-commit utility can be used to generate the necessary content. Use pre-commit run -a to apply changes. The pre-commit Workflow will do this automatically for you if needed.
• JSON Schema template updated and re-generated the raw schema via the pre-commit hook.
• Tests pass using the Chart Testing tool and the ct lint command.
• If you updated the orchestrator-infra chart, make sure the versions of the Knative CRDs are aligned with the versions of the CRDs installed by the OpenShift Serverless operators declared in the values.yaml file. See Installing Knative Eventing and Knative Serving CRDs for more details.

[rm3l]

/cherry-pick release-1.9

[openshift-cherrypick-robot]

@rm3l: once the present PR merges, I will cherry-pick it on top of release-1.9 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-1.9

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[rm3l]

Suggested change

integrity: sha512-6G0YguzCM5nCDpOrIGJpLTXVMr6EBdIVqSXtsLH9RvBH25RTuFpfJ7q6eEp26DqveaiqUCfBpJ51smdjcsEzFQ==

Same point as in redhat-developer/rhdh-operator#2231 (comment)

[nickboldt]

hmm. since DPDY has the community-built refs for orchestrator, maybe we need a new rule in the script that generates the DPDY so that if the plugin is

• TP or GA supported, and
• exists in quay.io

we use the quay.io/rhdh reference instead of the ghcr.io one.

https://github.com/redhat-developer/rhdh/blob/main/dynamic-plugins.default.yaml#L1346-L1358

WDYT?

[rm3l]

Is this the scope of https://issues.redhat.com/browse/RHIDP-11725?

Also, I guess we would need to handle the different tagging logic (like bs_1.45.3__5.1.0 in ghcr.io vs 1.9.0--5.1.0 in quay.io)..

As I commented out above, I think we should leverage the {{inherit}} option in the install methods to inherit the version and config from the DPDY, otherwise it will quickly become a nightmare to keep up with the versions.
But for this to work properly, we should use the same reference as in the DPDY.

So as soon as we switch to quay.io/rhdh reference in the DPDY, we should update the install methods here accordingly.

[rm3l]

/review

[rhdh-qodo-merge]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis 🔶 RHDHBUGS-2527 - Partially compliant Compliant requirements: Consider switching Orchestrator plugins to OCI-based artifacts if needed for compatibility. Update configuration references for Orchestrator plugins in Helm values. Non-compliant requirements: Update configuration references for Orchestrator plugins in Operator dynamic plugins config if applicable. Requires further human verification: Reproduce and fix the startup/readiness failure when deploying RHDH 1.9 via Helm or Operator with Orchestrator plugins enabled. Update Orchestrator plugin versions/artifacts to be compatible with the Backstage version used in RHDH 1.9. Provide a way to validate the fix (deploy Helm/Operator instance with Orchestrator enabled and verify it starts and becomes ready).

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🔒 No security concerns identified

⚡ Recommended focus areas for review Supply Chain The change switches from NPM tarballs with integrity pins to OCI artifacts without any digest pinning. This reduces tamper-evidence/immutability guarantees; consider pinning by digest (e.g., oci://...@sha256:...) or otherwise documenting/ensuring immutability of the referenced tags. - package: 'oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-orchestrator-backend:{{ "{{" }}inherit{{ "}}" }}' disabled: false pluginConfig: orchestrator: dataIndexService: url: http://sonataflow-platform-data-index-service.{{ .Release.Namespace }} - package: 'oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-orchestrator-form-widgets:{{ "{{" }}inherit{{ "}}" }}' disabled: false - package: 'oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-orchestrator:{{ "{{" }}inherit{{ "}}" }}' disabled: false - package: 'oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-scaffolder-backend-module-orchestrator:{{ "{{" }}inherit{{ "}}" }}' disabled: false pluginConfig: orchestrator: dataIndexService: url: http://sonataflow-platform-data-index-service.{{ .Release.Namespace }}

📚 Focus areas based on broader codebase context Missing Config The new oci://... orchestrator plugin entries no longer include any pluginConfig.dynamicPlugins.frontend wiring for the frontend plugins (e.g., for orchestrator routes/menu items and form-widgets frontend key). Validate that the referenced OCI “export overlay” artifacts truly embed the required frontend dynamic plugin configuration; otherwise the UI plugins may load without registering routes/components. (Ref 3, Ref 2) - package: 'oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-orchestrator-backend:{{ "{{" }}inherit{{ "}}" }}' disabled: false pluginConfig: orchestrator: dataIndexService: url: http://sonataflow-platform-data-index-service.{{ .Release.Namespace }} - package: 'oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-orchestrator-form-widgets:{{ "{{" }}inherit{{ "}}" }}' disabled: false - package: 'oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-orchestrator:{{ "{{" }}inherit{{ "}}" }}' disabled: false - package: 'oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-scaffolder-backend-module-orchestrator:{{ "{{" }}inherit{{ "}}" }}' disabled: false pluginConfig: orchestrator: dataIndexService: url: http://sonataflow-platform-data-index-service.{{ .Release.Namespace }} Reference reasoning: Existing orchestrator plugin manifests in the codebase show explicit pluginConfig sections (including dynamicPlugins.frontend keys) for orchestrator-related plugins, indicating that this configuration is expected somewhere in the deployment. When switching package sources, the same configuration must still be provided either directly in values or guaranteed by the packaged artifact’s embedded configuration.

📄 References redhat-developer/rhdh-chart/charts/backstage/ci/with-orchestrator-and-dynamic-plugins-npmrc-values.yaml [1-24] redhat-developer/rhdh-operator/examples/orchestrator.yaml [1-22] redhat-developer/rhdh-operator/dist/rhdh/install.yaml [2206-2215] redhat-developer/rhdh/default.packages.yaml [88-100] redhat-developer/rhdh/default.packages.yaml [77-87] redhat-developer/rhdh-operator/examples/orchestrator.yaml [43-65] redhat-developer/rhdh-operator/pkg/model/testdata/rhdh-deployment.yaml [36-58] redhat-developer/rhdh-operator/pkg/model/testdata/rhdh-deployment.yaml [1-35]

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud