Skip to content

Latest commit





Folders and files

Last commit message
Last commit date

parent directory


Backstage Helm Chart

Version: 0.20.0 Type: application

A Helm chart for deploying a Backstage application

Backstage is an open platform for building developer portals. Powered by a centralized software catalog, Backstage restores order to your microservices and infrastructure and enables your product teams to ship high-quality code quickly — without compromising autonomy.

Backstage unifies all your infrastructure tooling, services, and documentation to create a streamlined development environment from end to end.


helm repo add bitnami
helm repo add backstage

helm install my-release backstage/backstage


This chart bootstraps a Backstage deployment on a Kubernetes cluster using the Helm package manager.



Chart is available in the following formats:

Installing from the Chart Repository

The following command can be used to add the chart repository:

helm repo add backstage

Once the chart has been added, install one of the available charts:

helm upgrade -i <release_name> backstage/backstage

Installing from an OCI Registry

Chart is also available in OCI format. The list of available releases can be found here.

Install one of the available versions:

helm upgrade -i oci:// --version=<version>

Tip: List all releases using helm list

Uninstalling the Chart

To uninstall/delete the my-backstage-release deployment:

helm uninstall my-backstage-release

The command removes all the Kubernetes components associated with the chart and deletes the release.


Repository Name Version common 1.x.x postgresql 11.x.x


Key Description Type Default
backstage Backstage parameters object See below
backstage.appConfig Generates ConfigMap and configures it in the Backstage pods object {}
backstage.args Backstage container command arguments list []
backstage.command Backstage container command list ["node","packages/backend"]
backstage.containerPorts Container ports on the Deployment object {"backend":7007}
backstage.containerSecurityContext Security settings for a Container.
object {}
backstage.extraAppConfig Extra app configuration files to inline into command arguments list []
backstage.extraContainers Deployment sidecars list []
backstage.extraEnvVars Backstage container environment variables list []
backstage.extraEnvVarsSecrets Backstage container environment variables from Secrets list []
backstage.extraVolumeMounts Backstage container additional volume mounts list []
backstage.extraVolumes Backstage container additional volumes list []
backstage.image.debug Set to true if you would like to see extra information on logs bool false
backstage.image.pullPolicy Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
string "Always"
backstage.image.pullSecrets Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace.
E.g: pullSecrets: [myRegistryKeySecretName]
list []
backstage.image.registry Backstage image registry string ""
backstage.image.repository Backstage image repository string "backstage/backstage"
backstage.image.tag Backstage image tag (immutable tags are recommended) string "latest"
backstage.initContainers Backstage container init containers list []
backstage.installDir Directory containing the backstage installation string "/app"
backstage.nodeSelector Node labels for pod assignment
object {}
backstage.podAnnotations Annotations to add to the backend deployment pods object {}
backstage.podSecurityContext Security settings for a Pod. The security settings that you specify for a Pod apply to all Containers in the Pod.
object {}
backstage.replicas Number of deployment replicas int 1
backstage.resources Resource requests/limits
object {}
backstage.tolerations Node tolerations for server scheduling to nodes with taints
list []
clusterDomain Default Kubernetes cluster domain string "cluster.local"
commonAnnotations Annotations to add to all deployed objects object {}
commonLabels Labels to add to all deployed objects object {}
diagnosticMode Enable diagnostic mode in the Deployment object {"args":["infinity"],"command":["sleep"],"enabled":false}
diagnosticMode.args Args to override all containers in the Deployment list ["infinity"]
diagnosticMode.command Command to override all containers in the Deployment list ["sleep"]
diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) bool false
extraDeploy Array of extra objects to deploy with the release list []
fullnameOverride String to fully override common.names.fullname string ""
global Global parameters Global Docker image parameters Please, note that this will override the image parameters, including dependencies, configured to use the global value Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass object See below
global.imagePullSecrets Global Docker registry secret names as an array
E.g. imagePullSecrets: [myRegistryKeySecretName]
list []
global.imageRegistry Global Docker image registry string ""
ingress Ingress parameters object {"annotations":{},"className":"","enabled":false,"host":"","tls":{"enabled":false,"secretName":""}}
ingress.annotations Additional annotations for the Ingress resource object {}
ingress.className Name of the IngressClass cluster resource which defines which controller will implement the resource (e.g nginx) string ""
ingress.enabled Enable the creation of the ingress resource bool false Hostname to be used to expose the route to access the backstage application (e.g: string ""
ingress.tls Ingress TLS parameters object {"enabled":false,"secretName":""}
ingress.tls.enabled Enable TLS configuration for the host defined at parameter bool false
ingress.tls.secretName The name to which the TLS Secret will be called string ""
kubeVersion Override Kubernetes version string ""
metrics Metrics configuration object {"serviceMonitor":{"annotations":{},"enabled":false,"interval":null,"labels":{},"path":"/metrics"}}
metrics.serviceMonitor ServiceMonitor configuration
Allows configuring your backstage instance as a scrape target for Prometheus using a ServiceMonitor custom resource that Prometheus Operator can understand.
object {"annotations":{},"enabled":false,"interval":null,"labels":{},"path":"/metrics"}
metrics.serviceMonitor.annotations ServiceMonitor annotations object {}
metrics.serviceMonitor.enabled If enabled, a ServiceMonitor resource for Prometheus Operator is created
Prometheus Operator must be installed in your cluster prior to enabling.
bool false
metrics.serviceMonitor.interval ServiceMonitor scrape interval string nil
metrics.serviceMonitor.labels Additional ServiceMonitor labels object {}
metrics.serviceMonitor.path ServiceMonitor endpoint path
Note that the /metrics endpoint is NOT present in a freshly scaffolded Backstage app. To setup, follow the Prometheus metrics tutorial.
string "/metrics"
nameOverride String to partially override common.names.fullname string ""
networkPolicy Network policies
object {"egressRules":{"customRules":[]},"enabled":false,"externalAccess":{"from":[]}}
networkPolicy.egressRules Custom network policy rule object {"customRules":[]}
networkPolicy.egressRules.customRules Additional custom egress rules e.g: customRules: - to: - namespaceSelector: matchLabels: label: example list []
networkPolicy.enabled networkPolicy.enabled Specifies whether a NetworkPolicy should be created bool false
postgresql PostgreSQL chart configuration object See below
postgresql.architecture PostgreSQL architecture (standalone or replication) string "standalone"
postgresql.auth The authentication details of the Postgres database object {"existingSecret":"","password":"","secretKeys":{"adminPasswordKey":"admin-password","replicationPasswordKey":"replication-password","userPasswordKey":"user-password"},"username":"bn_backstage"}
postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials string ""
postgresql.auth.password Password for the custom user to create string ""
postgresql.auth.secretKeys The secret keys Postgres will look for to retrieve the relevant password object {"adminPasswordKey":"admin-password","replicationPasswordKey":"replication-password","userPasswordKey":"user-password"}
postgresql.auth.secretKeys.adminPasswordKey The key in which Postgres will look for, for the admin password, in the existing Secret string "admin-password"
postgresql.auth.secretKeys.replicationPasswordKey The key in which Postgres will look for, for the replication password, in the existing Secret string "replication-password"
postgresql.auth.secretKeys.userPasswordKey The key in which Postgres will look for, for the user password, in the existing Secret string "user-password"
postgresql.auth.username Name for a custom user to create string "bn_backstage"
postgresql.enabled Switch to enable or disable the PostgreSQL helm chart bool false
service Service parameters object See below
service.annotations Additional custom annotations for Backstage service object {}
service.clusterIP Backstage service Cluster IP
E.g clusterIP: None
string ""
service.externalTrafficPolicy Backstage service external traffic policy Ref: string "Cluster"
service.extraPorts Extra ports to expose in the Backstage service (normally used with the sidecar value) list []
service.loadBalancerIP Backstage service Load Balancer IP
string ""
service.loadBalancerSourceRanges Load Balancer sources
E.g loadBalancerSourceRanges: []
list []
service.nodePorts Node port for the Backstage client connections Choose port between 30000-32767 object {"backend":""}
service.ports Backstage svc port for client connections object {"backend":7007,"name":"http-backend","targetPort":"backend"} Backstage svc port name string "http-backend"
service.ports.targetPort Backstage svc target port referencing receiving pod container port string "backend"
service.sessionAffinity Control where client requests go, to the same pod or round-robin (values: ClientIP or None)
string "None"
service.type Kubernetes Service type string "ClusterIP"
serviceAccount Service Account Configuration object See below
serviceAccount.annotations Additional custom annotations for the ServiceAccount. object {}
serviceAccount.automountServiceAccountToken Auto-mount the service account token in the pod bool true
serviceAccount.create Enable the creation of a ServiceAccount for Backstage pods bool false
serviceAccount.labels Additional custom labels to the service ServiceAccount. object {} Name of the ServiceAccount to use If not set and serviceAccount.create is true, a name is generated string ""

Configure your Backstage instance

The Backstage Chart makes it possible to configure your backstage instance by passing extra environment variables or static configuration files, without rebuilding the docker image.

Environment variables

Use backstage.extraEnvVars to pass extra environment variables. This is used for environment variables containing non sensitive information:

+   extraEnvVars:
+     - name: MY_PLUGIN_HOST
+       value: http://my-plugin-host

It is possible to override values defined in your app-config.yaml by appending the APP_CONFIG prefix to each environment variable, as described in the official documentation. For example, to override the property defined in your app-config.yaml, do:

+     - name: APP_CONFIG_backend_cache_store
+       value: memory

Sensitive environment variables

In case your environment variables contain sensitive information, such as BACKEND_SECRET or POSTGRES_PASSWORD it is recommended store them in a Kubernetes Secret.

Create a new file named my-backstage-secrets.yaml containing the secrets you want to store:

# my-backstage-secrets.yaml
apiVersion: v1
kind: Secret
  name: my-backstage-secrets
type: Opaque

Make sure to customize the name of the secret by changing properly.

Now create the new secret in your Kubernetes cluster by running the following command:

$ kubectl apply -f my-backstage-secrets.yaml`

Once the secret has been created, pass the secret's reference to your backstage instance by adding the following lines to your values.yaml:

+   extraEnvVarsSecrets:
+     - my-backstage-secrets

The chart will make sure to pass the secrets to your Backstage instance.

Pass extra configuration files

A generated Backstage docker image contains some static configuration files, such as app-config.yaml and app-config.production.yaml. It is possible to pass extra configuration files by defining them as ConfigMap, without rebuilding the Docker image.

To do so, run:

$ kubectl create configmap my-app-config --from-file=app-config.extra.yaml=./local/path/to/your/app-config.extra.yaml`

This command parses your local app-config.extra.yaml and creates a new ConfigMap called my-app-config which internally contains a file called app-config.extra.yaml with the content of the parsed file.

Now that the ConfigMap has been created on your Kubernetes cluster, you can reference the ConfigMap:

+   extraAppConfig:
+     - filename: app-config.extra.yaml
+       configMapRef: my-app-config

The chart will mount the content of the ConfigMap as a new app-config.extra.yaml file and automatically pass the extra configuration to your instance.

Pass configuration to be stored in a ConfigMap

⚠️ In case of using both appConfig and extraAppConfig, appConfig will have higher priority over extraAppConfig. For more information you can check the Backstage docs and how this Helm Chart configures the Backstage arguments

In addition to following the previous step "Pass extra configuration files", you can get the Config Map automatically deployed with this Helm Chart by defining the key appConfig:

+   appConfig:
+     app:
+       baseUrl: https://somedomain.tld

The chart will mount the content of the ConfigMap as a new app-config-from-configmap.yaml file and automatically pass the extra configuration to your instance.

Configuring Chart PostgreSQL

With the Backstage Helm Chart, it offers - as a subchart - a Bitnami PostgreSQL database. This can be enabled by switching postgresql.enabled to true (it is false by default). If switched on, the Helm Chart, on deployment, will automatically deploy a PostgreSQL instance and configure it with the credentials you specify. There are multiple ways of doing this that will be detailed below.

Automatic Database Credential Creation

This is the easiest of the configuration options. Here, the credentials for both the Admin and Database users will be automatically generated and put into a Kubernetes secret. This will then be automatically used by Backstage. In order to use this method, ensure the following:

  • Keep postgresql.auth.existingSecret & postgresql.auth.password empty.

Specifying Password for PostgreSQL to Use

Here, you can specify the password that you want PostgreSQL to use for its Database User (The user that Backstage will use to connect to the database). In order to use this method, ensure the following:

  • Keep postgresql.auth.existingSecret empty.
  • Set postgresql.auth.password to your desired User password value.

NOTE: Be careful that you provide this value securely.

Specifying Existing Secret for PostgreSQL to Use

Here, you can specify an existing Kubernetes secret that you have created which contains the Password that you want PostgreSQL to use. The secret must be in the same namespace as where you are deploying the Helm Chart. In order to use this method, ensure the following:

  • Create the Kubernetes secret with the Password inside.
  • Set postgresql.auth.existingSecret to the name of the Secret
  • PostgreSQL by default will look for the relevant Password keys that are set by default here postgresql.auth.secretKeys. So make sure that the Keys in the Secret match the default secretKeys values. More information here
  • For example, if you want PostgreSQL to use an existing Secret called my-user-secret that has the User password that you want to use inside it: make sure that you create a Key inside that secret called user-password (this key can be found here postgresql.auth.secretKeys.userPasswordKey). i.e. user-password=Password123.