doc: add backend_secret config to orchestrator (#1567)

* Update app config in orchestrator example

* update doc

* add secret example

Author: jenniferubah

docs/orchestrator.md

@@ -91,7 +91,9 @@ To enable the orchestrator plugin, you should refer the dynamic plugins ConfigMa
          disabled: false  
 ```
 
-See [example](/examples/orchestrator.yaml) for a complete configuration of the orchestrator plugin.
+See [example](/examples/orchestrator.yaml) for a complete configuration of the orchestrator plugin. 
+Ensure to add a secret with the BACKEND_SECRET key/value and update
+the secret name in the `Backstage` CR under the `extraEnvs` field.
 
 #### Plugin registry
 

examples/orchestrator.yaml

@@ -33,6 +33,22 @@ data:
         guest:
           # using the guest user to query the '/api/dynamic-plugins-info/loaded-plugins' endpoint.
           dangerouslyAllowOutsideDevelopment: true
+    backend:
+      auth:
+        externalAccess:
+          - type: static
+            options:
+              token: ${BACKEND_SECRET}
+              subject: orchestrator
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: backend-auth-secret
+stringData:
+  # generated with the command below (from https://backstage.io/docs/auth/service-to-service-auth/#setup):
+  # node -p 'require("crypto").randomBytes(24).toString("base64")'
+  BACKEND_SECRET: "R2FxRVNrcmwzYzhhN3l0V1VRcnQ3L1pLT09WaVhDNUEK" # notsecret
 ---
 apiVersion: rhdh.redhat.com/v1alpha4
 kind: Backstage
@@ -44,3 +60,6 @@ spec:
       configMaps:
         - name: app-config-rhdh
     dynamicPluginsConfigMapName: orchestrator-plugin
+    extraEnvs:
+      secrets:
+        - name: backend-auth-secret # secret that contains the BACKEND_SECRET key