Description of problem:

When following the steps to include authentication files in RHDH, using the mount path /opt/app-root/src  does not work (pod is not initialized as unable to mount the route), but changing it to  (/opt/app-root/src /rbac) does work.

Documentation: https://docs.redhat.com/en/documentation/red_hat_developer_hub/1.3/html/authorization/managing-authorizations-by-using-external-files#defining-authorizations-in-external-files-by-using-helm

Prerequisites (if any, like setup, operators/versions):

rhdh 1.3.1

Steps to Reproduce

1. Files used:
   rbac-conditional-policies.yaml:

result: CONDITIONAL
roleEntityRef: 'role:default/test2-role'
pluginId: catalog
resourceType: catalog-entity
permissionMapping:
- read
- update
conditions:
rule: IS_ENTITY_OWNER
resourceType: catalog-entity
params:
claims:
- 'group:janus-qe/rhdh-qe-2-team'
- \$currentUser
—
result: CONDITIONAL
roleEntityRef: 'role:default/test2-role'
pluginId: catalog
resourceType: catalog-entity
permissionMapping:
- delete
conditions:
rule: IS_ENTITY_OWNER
resourceType: catalog-entity
params:
claims:
- \$currentUser

1.  
2. rbac-policies.csv:

p, role:default/guests, catalog.entity.create, create, allow
p, role:default/team_a, catalog-entity, read, allow
g, user:xyz/user, role:xyz/team_a
g, group:default/rhdh-qe-2-team, role:default/test2-role

p, role:xyz/team_a, catalog-entity, read, allow
p, role:xyz/team_a, catalog.entity.create, create, allow
p, role:xyz/team_a, catalog.location.create, create, allow
p, role:xyz/team_a, catalog.location.read, read, allow

g, user:default/rhdh-qe, role:default/qe_rbac_admin
p, role:default/qe_rbac_admin, kubernetes.proxy, use, allow
p, role:default/qe_rbac_admin, catalog.entity.create, create, allow
p, role:default/qe_rbac_admin, catalog.location.create, create, allow
p, role:default/qe_rbac_admin, catalog.location.read, read, allow

p, role:default/bulk_import, bulk.import, use, allow
p, role:default/bulk_import, catalog.location.create, create, allow
p, role:default/bulk_import, catalog.entity.create, create, allow
g, group:default/rhdh-qe-2-team, role:default/bulk_import
2. run : oc create configmap rbac-policies \
     --from-file=rbac-policies.csv \
     --from-file=rbac-conditional-policies.yaml

3. backstage helm:
global:
plugins:
- disabled: false
package: ./dynamic-plugins/dist/janus-idp-backstage-plugin-rbac
 
 

 
extraVolumeMounts:
- mountPath: /opt/app-root/src/dynamic-plugins-root
name: dynamic-plugins-root
- mountPath: /var/log/audit
name: audit-log-data
- mountPath: /opt/app-root/src/rbac
name: rbac-policies
 
- configMap:
defaultMode: 420
name: rbac-policies
name: rbac-policies
4. configmap:
data:
app-config-rhdh.yaml: |
permission:
enabled: true
rbac:
conditionalPoliciesFile: /opt/app-root/src/rbac-conditional-policies.yaml
policies-csv-file: /opt/app-root/src/rbac-policies.csv
policyFileReload: true
admin:
users:
- name: user:github/nilgaar
dangerouslyAllowSignInWithoutUserInCatalog: true

Actual results:

event:
Error: container create failed: time="2024-12-17T12:42:43Z" level=error msg="runc create failed: unable to start container process: error during container init: error mounting \"/var/lib/kubelet/pods/67579abd-5864-482d-acab-1d1b852285da/volume-subpaths/backstage-app-config/backstage-backend/0\" to rootfs at \"/opt/app-root/src/app-config-from-configmap.yaml\": mount /var/lib/kubelet/pods/67579abd-5864-482d-acab-1d1b852285da/volume-subpaths/backstage-app-config/backstage-backend/0:/opt/app-root/src/app-config-from-configmap.yaml (via /proc/self/fd/6), flags: 0x5001, data: context=\"system_u:object_r:container_file_t:s0:c28,c17\": not a directory"

Expected results:

when changing the path to /opt/app-root/src/rbac

all works as expected

Reproducibility (Always/Intermittent/Only Once):

it is always for me

Build Details:

Additional info (Such as Logs, Screenshots, etc):