From d295ff5b2aa29ba30ee7f37d0e0e5abdaa35753e Mon Sep 17 00:00:00 2001 From: Daniel Vaskivaara Date: Mon, 4 May 2026 11:52:24 +0300 Subject: [PATCH 1/4] config(cluster-auth): point to 0.5.9 (cache invalidation) --- root/values.yaml | 2 +- sources/cluster-auth/0.5.9/.helmignore | 20 +++ sources/cluster-auth/0.5.9/Chart.yaml | 18 ++ .../cluster-auth/0.5.9/templates/NOTES.txt | 61 +++++++ .../cluster-auth/0.5.9/templates/_helpers.tpl | 61 +++++++ .../0.5.9/templates/clusterrole.yaml | 10 ++ .../0.5.9/templates/clusterrolebinding.yaml | 14 ++ .../0.5.9/templates/configmap.yaml | 12 ++ .../0.5.9/templates/deployment.yaml | 101 +++++++++++ .../gateway-extension-kgateway-system.yaml | 15 ++ .../0.5.9/templates/gateway-extension.yaml | 15 ++ .../0.5.9/templates/job-restart-kgateway.yaml | 20 +++ .../0.5.9/templates/namespace.yaml | 8 + .../0.5.9/templates/rbac-restart-job.yaml | 54 ++++++ .../0.5.9/templates/referencegrant.yaml | 33 ++++ .../cluster-auth/0.5.9/templates/service.yaml | 32 ++++ .../0.5.9/templates/serviceaccount.yaml | 7 + .../0.5.9/templates/servicemonitor.yaml | 18 ++ .../0.5.9/templates/trafficpolicy.yaml | 15 ++ sources/cluster-auth/0.5.9/values.yaml | 163 ++++++++++++++++++ 20 files changed, 678 insertions(+), 1 deletion(-) create mode 100644 sources/cluster-auth/0.5.9/.helmignore create mode 100644 sources/cluster-auth/0.5.9/Chart.yaml create mode 100644 sources/cluster-auth/0.5.9/templates/NOTES.txt create mode 100644 sources/cluster-auth/0.5.9/templates/_helpers.tpl create mode 100644 sources/cluster-auth/0.5.9/templates/clusterrole.yaml create mode 100644 sources/cluster-auth/0.5.9/templates/clusterrolebinding.yaml create mode 100644 sources/cluster-auth/0.5.9/templates/configmap.yaml create mode 100644 sources/cluster-auth/0.5.9/templates/deployment.yaml create mode 100644 sources/cluster-auth/0.5.9/templates/gateway-extension-kgateway-system.yaml create mode 100644 sources/cluster-auth/0.5.9/templates/gateway-extension.yaml create mode 100644 sources/cluster-auth/0.5.9/templates/job-restart-kgateway.yaml create mode 100644 sources/cluster-auth/0.5.9/templates/namespace.yaml create mode 100644 sources/cluster-auth/0.5.9/templates/rbac-restart-job.yaml create mode 100644 sources/cluster-auth/0.5.9/templates/referencegrant.yaml create mode 100644 sources/cluster-auth/0.5.9/templates/service.yaml create mode 100644 sources/cluster-auth/0.5.9/templates/serviceaccount.yaml create mode 100644 sources/cluster-auth/0.5.9/templates/servicemonitor.yaml create mode 100644 sources/cluster-auth/0.5.9/templates/trafficpolicy.yaml create mode 100644 sources/cluster-auth/0.5.9/values.yaml diff --git a/root/values.yaml b/root/values.yaml index a44961ea..416a2e05 100644 --- a/root/values.yaml +++ b/root/values.yaml @@ -239,7 +239,7 @@ apps: installCRDs: true cluster-auth: namespace: cluster-auth - path: cluster-auth/0.5.0 + path: cluster-auth/0.5.9 syncWave: -25 valuesFile: values.yaml cluster-auth-config: diff --git a/sources/cluster-auth/0.5.9/.helmignore b/sources/cluster-auth/0.5.9/.helmignore new file mode 100644 index 00000000..b15d0eba --- /dev/null +++ b/sources/cluster-auth/0.5.9/.helmignore @@ -0,0 +1,20 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +*.swp +*.bak +*.tmp +*.orig +*~ +.project +.idea/ +*.tmproj +.vscode/ diff --git a/sources/cluster-auth/0.5.9/Chart.yaml b/sources/cluster-auth/0.5.9/Chart.yaml new file mode 100644 index 00000000..04d51182 --- /dev/null +++ b/sources/cluster-auth/0.5.9/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +name: cluster-auth +description: External authorization service for Kubernetes Gateway with OpenBao integration +type: application +version: 0.5.9 +appVersion: "0.5.9" +keywords: + - envoy + - authorization + - openbao + - vault + - gateway-api + - kubernetes +home: https://github.com/silogen/cluster-auth +sources: + - https://github.com/silogen/cluster-auth +maintainers: + - name: AMD EAI Platform Team diff --git a/sources/cluster-auth/0.5.9/templates/NOTES.txt b/sources/cluster-auth/0.5.9/templates/NOTES.txt new file mode 100644 index 00000000..7141310c --- /dev/null +++ b/sources/cluster-auth/0.5.9/templates/NOTES.txt @@ -0,0 +1,61 @@ +Thank you for installing {{ .Chart.Name }}! + +Your release is named {{ .Release.Name }}. + +To verify the deployment: + + kubectl get pods -n {{ .Values.namespace.name }} -l app.kubernetes.io/name={{ include "cluster-auth.name" . }} + +To check the logs: + + kubectl logs -n {{ .Values.namespace.name }} -l app.kubernetes.io/name={{ include "cluster-auth.name" . }} + +To test the health endpoint: + + kubectl port-forward -n {{ .Values.namespace.name }} svc/{{ include "cluster-auth.fullname" . }} 8080:{{ .Values.service.health.port }} + curl http://localhost:8080/health + +To access the REST API: + + kubectl port-forward -n {{ .Values.namespace.name }} svc/{{ include "cluster-auth.fullname" . }} 8081:{{ .Values.service.restApi.port }} + curl -H "X-Admin-Token: " http://localhost:8081/apikey/groups | jq + +To access Prometheus metrics: + + kubectl port-forward -n {{ .Values.namespace.name }} svc/{{ include "cluster-auth.fullname" . }} 9090:{{ .Values.service.metrics.port }} + curl http://localhost:9090/metrics + +{{- if not .Values.existingSecret }} + +WARNING: No existing secret configured! +Please create a secret with OpenBao and admin tokens: + + kubectl create secret generic cluster-auth-secrets \ + --from-literal=openbao-token="" \ + --from-literal=admin-token="" \ + --namespace={{ .Values.namespace.name }} + +Then update your values.yaml: + existingSecret: "cluster-auth-secrets" + +{{- end }} + +{{- if .Values.config.apikey.enabled }} + +API Key Management is enabled. Available endpoints: + - POST /apikey/create - Create API keys + - POST /apikey/revoke - Revoke API keys + - POST /apikey/renew - Renew API keys + - POST /apikey/lookup - Lookup API key metadata + - POST /apikey/group - Create groups + - DELETE /apikey/group - Delete groups + - GET /apikey/groups - List all groups + - POST /apikey/bind - Bind key to group + - POST /apikey/unbind - Unbind key from group + +{{- end }} + +For more information, visit: + https://github.com/silogen/cluster-auth + +Happy authorizing! diff --git a/sources/cluster-auth/0.5.9/templates/_helpers.tpl b/sources/cluster-auth/0.5.9/templates/_helpers.tpl new file mode 100644 index 00000000..9bbfb343 --- /dev/null +++ b/sources/cluster-auth/0.5.9/templates/_helpers.tpl @@ -0,0 +1,61 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "cluster-auth.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +*/}} +{{- define "cluster-auth.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cluster-auth.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "cluster-auth.labels" -}} +helm.sh/chart: {{ include "cluster-auth.chart" . }} +{{ include "cluster-auth.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "cluster-auth.selectorLabels" -}} +app.kubernetes.io/name: {{ include "cluster-auth.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app: cluster-auth +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "cluster-auth.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "cluster-auth.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/sources/cluster-auth/0.5.9/templates/clusterrole.yaml b/sources/cluster-auth/0.5.9/templates/clusterrole.yaml new file mode 100644 index 00000000..5d658a56 --- /dev/null +++ b/sources/cluster-auth/0.5.9/templates/clusterrole.yaml @@ -0,0 +1,10 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "cluster-auth.fullname" . }} + labels: + {{- include "cluster-auth.labels" . | nindent 4 }} +rules: +- apiGroups: ["gateway.networking.k8s.io"] + resources: ["httproutes"] + verbs: ["get", "list", "watch"] diff --git a/sources/cluster-auth/0.5.9/templates/clusterrolebinding.yaml b/sources/cluster-auth/0.5.9/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..950266a2 --- /dev/null +++ b/sources/cluster-auth/0.5.9/templates/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "cluster-auth.fullname" . }} + labels: + {{- include "cluster-auth.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "cluster-auth.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "cluster-auth.fullname" . }} + namespace: {{ .Values.namespace.name }} diff --git a/sources/cluster-auth/0.5.9/templates/configmap.yaml b/sources/cluster-auth/0.5.9/templates/configmap.yaml new file mode 100644 index 00000000..30129fe2 --- /dev/null +++ b/sources/cluster-auth/0.5.9/templates/configmap.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "cluster-auth.fullname" . }}-config + namespace: {{ .Values.namespace.name }} + labels: + {{- include "cluster-auth.labels" . | nindent 4 }} +data: + config.yaml: | +{{ toYaml .Values.config | indent 4 }} + policies.yaml: | +{{ toYaml .Values.policies | indent 4 }} diff --git a/sources/cluster-auth/0.5.9/templates/deployment.yaml b/sources/cluster-auth/0.5.9/templates/deployment.yaml new file mode 100644 index 00000000..ef87daf8 --- /dev/null +++ b/sources/cluster-auth/0.5.9/templates/deployment.yaml @@ -0,0 +1,101 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "cluster-auth.fullname" . }} + namespace: {{ .Values.namespace.name }} + labels: + {{- include "cluster-auth.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "cluster-auth.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "cluster-auth.selectorLabels" . | nindent 8 }} + spec: + serviceAccountName: {{ include "cluster-auth.fullname" . }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: grpc + containerPort: {{ .Values.service.grpc.port }} + protocol: TCP + - name: health + containerPort: {{ .Values.service.health.port }} + protocol: TCP + - name: rest-api + containerPort: {{ .Values.service.restApi.port }} + protocol: TCP + - name: metrics + containerPort: {{ .Values.service.metrics.port }} + protocol: TCP + args: + - "-config" + - "/etc/cluster-auth/config.yaml" + {{- if .Values.existingSecret }} + env: + - name: API_KEY_PREFIX + value: "amd_aim_api_key_" + - name: OPENBAO_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.existingSecret }} + key: openbao-token + - name: ADMIN_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.existingSecret }} + key: admin-token + {{- end }} + volumeMounts: + - name: config + mountPath: /etc/cluster-auth + {{- with .Values.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ include "cluster-auth.fullname" . }}-config + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/sources/cluster-auth/0.5.9/templates/gateway-extension-kgateway-system.yaml b/sources/cluster-auth/0.5.9/templates/gateway-extension-kgateway-system.yaml new file mode 100644 index 00000000..86779bfa --- /dev/null +++ b/sources/cluster-auth/0.5.9/templates/gateway-extension-kgateway-system.yaml @@ -0,0 +1,15 @@ +apiVersion: gateway.kgateway.dev/v1alpha1 +kind: GatewayExtension +metadata: + name: {{ include "cluster-auth.fullname" . }}-extauth + namespace: kgateway-system + labels: + {{- include "cluster-auth.labels" . | nindent 4 }} +spec: + type: ExtAuth + extAuth: + grpcService: + backendRef: + name: {{ include "cluster-auth.fullname" . }} + namespace: {{ .Values.namespace.name }} + port: {{ .Values.service.grpc.port }} diff --git a/sources/cluster-auth/0.5.9/templates/gateway-extension.yaml b/sources/cluster-auth/0.5.9/templates/gateway-extension.yaml new file mode 100644 index 00000000..130fe833 --- /dev/null +++ b/sources/cluster-auth/0.5.9/templates/gateway-extension.yaml @@ -0,0 +1,15 @@ +apiVersion: gateway.kgateway.dev/v1alpha1 +kind: GatewayExtension +metadata: + name: {{ include "cluster-auth.fullname" . }}-extauth + namespace: {{ .Values.namespace.name }} + labels: + {{- include "cluster-auth.labels" . | nindent 4 }} +spec: + type: ExtAuth + extAuth: + grpcService: + backendRef: + name: {{ include "cluster-auth.fullname" . }} + namespace: {{ .Values.namespace.name }} + port: {{ .Values.service.grpc.port }} diff --git a/sources/cluster-auth/0.5.9/templates/job-restart-kgateway.yaml b/sources/cluster-auth/0.5.9/templates/job-restart-kgateway.yaml new file mode 100644 index 00000000..4c67452e --- /dev/null +++ b/sources/cluster-auth/0.5.9/templates/job-restart-kgateway.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "cluster-auth.fullname" . }}-restart-kgateway + namespace: {{ .Values.namespace.name }} +spec: + template: + spec: + serviceAccountName: {{ include "cluster-auth.fullname" . }}-restart-kgateway-sa + containers: + - name: restart + image: bitnami/kubectl:latest + command: + - /bin/sh + - -c + - | + kubectl wait deployment {{ include "cluster-auth.fullname" . }} -n {{ .Values.namespace.name }} --for=condition=Available=True --timeout=180s + kubectl rollout restart deployment kgateway -n kgateway-system + restartPolicy: Never diff --git a/sources/cluster-auth/0.5.9/templates/namespace.yaml b/sources/cluster-auth/0.5.9/templates/namespace.yaml new file mode 100644 index 00000000..86d8d2dc --- /dev/null +++ b/sources/cluster-auth/0.5.9/templates/namespace.yaml @@ -0,0 +1,8 @@ +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.namespace.name }} + labels: + {{- include "cluster-auth.labels" . | nindent 4 }} +{{- end }} diff --git a/sources/cluster-auth/0.5.9/templates/rbac-restart-job.yaml b/sources/cluster-auth/0.5.9/templates/rbac-restart-job.yaml new file mode 100644 index 00000000..c6025256 --- /dev/null +++ b/sources/cluster-auth/0.5.9/templates/rbac-restart-job.yaml @@ -0,0 +1,54 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "cluster-auth.fullname" . }}-restart-kgateway-sa + namespace: {{ .Values.namespace.name }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "cluster-auth.fullname" . }}-restart-role + namespace: {{ .Values.namespace.name }} +rules: + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kgateway-restart-role + namespace: kgateway-system +rules: + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "list", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "cluster-auth.fullname" . }}-restart-binding + namespace: {{ .Values.namespace.name }} +subjects: + - kind: ServiceAccount + name: {{ include "cluster-auth.fullname" . }}-restart-kgateway-sa + namespace: {{ .Values.namespace.name }} +roleRef: + kind: Role + name: {{ include "cluster-auth.fullname" . }}-restart-role + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kgateway-restart-binding + namespace: kgateway-system +subjects: + - kind: ServiceAccount + name: {{ include "cluster-auth.fullname" . }}-restart-kgateway-sa + namespace: {{ .Values.namespace.name }} +roleRef: + kind: Role + name: kgateway-restart-role + apiGroup: rbac.authorization.k8s.io diff --git a/sources/cluster-auth/0.5.9/templates/referencegrant.yaml b/sources/cluster-auth/0.5.9/templates/referencegrant.yaml new file mode 100644 index 00000000..8bd777d1 --- /dev/null +++ b/sources/cluster-auth/0.5.9/templates/referencegrant.yaml @@ -0,0 +1,33 @@ +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: ReferenceGrant +metadata: + name: kgateway-to-{{ include "cluster-auth.fullname" . }}-extauth + namespace: {{ .Values.namespace.name }} + labels: + {{- include "cluster-auth.labels" . | nindent 4 }} +spec: + from: + - group: gateway.kgateway.dev + kind: TrafficPolicy + namespace: kgateway-system + to: + - group: gateway.kgateway.dev + kind: GatewayExtension + name: {{ include "cluster-auth.fullname" . }}-extauth +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: ReferenceGrant +metadata: + name: kgateway-extauth-to-{{ include "cluster-auth.fullname" . }}-service + namespace: {{ .Values.namespace.name }} + labels: + {{- include "cluster-auth.labels" . | nindent 4 }} +spec: + from: + - group: gateway.kgateway.dev + kind: GatewayExtension + namespace: kgateway-system + to: + - group: "" + kind: Service + name: {{ include "cluster-auth.fullname" . }} diff --git a/sources/cluster-auth/0.5.9/templates/service.yaml b/sources/cluster-auth/0.5.9/templates/service.yaml new file mode 100644 index 00000000..e1071161 --- /dev/null +++ b/sources/cluster-auth/0.5.9/templates/service.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "cluster-auth.fullname" . }} + namespace: {{ .Values.namespace.name }} + labels: + {{- include "cluster-auth.labels" . | nindent 4 }} + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.service.metrics.port }}" + prometheus.io/path: "/metrics" +spec: + type: {{ .Values.service.type }} + ports: + - name: grpc + port: {{ .Values.service.grpc.port }} + targetPort: grpc + protocol: TCP + - name: health + port: {{ .Values.service.health.port }} + targetPort: health + protocol: TCP + - name: rest-api + port: {{ .Values.service.restApi.port }} + targetPort: rest-api + protocol: TCP + - name: metrics + port: {{ .Values.service.metrics.port }} + targetPort: metrics + protocol: TCP + selector: + {{- include "cluster-auth.selectorLabels" . | nindent 4 }} diff --git a/sources/cluster-auth/0.5.9/templates/serviceaccount.yaml b/sources/cluster-auth/0.5.9/templates/serviceaccount.yaml new file mode 100644 index 00000000..215ec39a --- /dev/null +++ b/sources/cluster-auth/0.5.9/templates/serviceaccount.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "cluster-auth.fullname" . }} + namespace: {{ .Values.namespace.name }} + labels: + {{- include "cluster-auth.labels" . | nindent 4 }} diff --git a/sources/cluster-auth/0.5.9/templates/servicemonitor.yaml b/sources/cluster-auth/0.5.9/templates/servicemonitor.yaml new file mode 100644 index 00000000..edb9ecd6 --- /dev/null +++ b/sources/cluster-auth/0.5.9/templates/servicemonitor.yaml @@ -0,0 +1,18 @@ +{{- if .Values.serviceMonitor.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "cluster-auth.fullname" . }} + namespace: {{ .Values.namespace.name }} + labels: + {{- include "cluster-auth.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "cluster-auth.selectorLabels" . | nindent 6 }} + endpoints: + - port: metrics + interval: {{ .Values.serviceMonitor.interval }} + scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }} + path: /metrics +{{- end }} diff --git a/sources/cluster-auth/0.5.9/templates/trafficpolicy.yaml b/sources/cluster-auth/0.5.9/templates/trafficpolicy.yaml new file mode 100644 index 00000000..d8d25f62 --- /dev/null +++ b/sources/cluster-auth/0.5.9/templates/trafficpolicy.yaml @@ -0,0 +1,15 @@ +apiVersion: gateway.kgateway.dev/v1alpha1 +kind: TrafficPolicy +metadata: + name: {{ include "cluster-auth.fullname" . }}-global + namespace: kgateway-system + labels: + {{- include "cluster-auth.labels" . | nindent 4 }} +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: https + extAuth: + extensionRef: + name: {{ include "cluster-auth.fullname" . }}-extauth \ No newline at end of file diff --git a/sources/cluster-auth/0.5.9/values.yaml b/sources/cluster-auth/0.5.9/values.yaml new file mode 100644 index 00000000..1af25f9a --- /dev/null +++ b/sources/cluster-auth/0.5.9/values.yaml @@ -0,0 +1,163 @@ +replicaCount: 1 + +image: + repository: ghcr.io/silogen/cluster-auth + pullPolicy: Always + tag: "0.5.9-rc1" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +namespace: + name: cluster-auth + create: true + +existingSecret: "cluster-auth-secrets" + +service: + type: ClusterIP + grpc: + port: 50051 + health: + port: 8080 + restApi: + port: 8081 + metrics: + port: 9090 + +resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 500m + memory: 512Mi + +livenessProbe: + httpGet: + path: /health + port: health + initialDelaySeconds: 10 + periodSeconds: 10 + +readinessProbe: + httpGet: + path: /health + port: health + initialDelaySeconds: 5 + periodSeconds: 5 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +podAnnotations: {} + +podSecurityContext: {} + +securityContext: {} + +serviceMonitor: + enabled: true + interval: 30s + scrapeTimeout: 10s + +config: + server: + grpc: + address: ":50051" + tls: + enabled: false + rest: + enabled: true + address: ":8081" + health: + address: ":8080" + + authentication: + methods: + - type: openbao + name: openbao-default + enabled: true + openbao: + address: "http://openbao.cf-openbao.svc.cluster.local:8200" + token: "${OPENBAO_TOKEN}" + cacheTTL: "15m" + - type: bearer + name: fallback-bearer + enabled: false + staticTokens: {} + failureMode: deny + + apikey: + enabled: true + prefix: "${API_KEY_PREFIX}" + adminTokens: + "${ADMIN_TOKEN}": "default-client" + + authorization: + enabled: true + policyFile: "/etc/cluster-auth/policies.yaml" + defaultAction: allow + + kubernetes: + enabled: true + inCluster: true + cacheDuration: "15m" + + observability: + logging: + level: info + format: json + metrics: + enabled: true + address: ":9090" + tracing: + enabled: false + +policies: + version: "1.0" + policies: + - name: allow-health + description: Allow health check endpoints + priority: 100 + rules: + - effect: allow + paths: + - /health + - /healthz + - /ready + methods: + - GET + requireAuth: false + + - name: httproute-group-based-access + description: Allow access only if HTTPRoute annotation matches user's group + priority: 85 + rules: + - effect: allow + paths: + - /** + methods: + - "*" + requireAuth: true + httpRoute: + annotationMatch: + - key: "cluster-auth/allowed-group" + matchesUserGroup: true + + - name: admin-full-access + description: Admin users have full access + priority: 90 + rules: + - effect: allow + paths: + - /** + methods: + - "*" + roles: + - admin + requireAuth: true From 2eebabc03326e3f4a60d60b66d33926c8a51d81c Mon Sep 17 00:00:00 2001 From: Daniel Vaskivaara Date: Tue, 5 May 2026 08:18:48 +0300 Subject: [PATCH 2/4] fix(cluster-auth): update openbao.cacheTTL and rc image pin --- sources/cluster-auth/0.5.9/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sources/cluster-auth/0.5.9/values.yaml b/sources/cluster-auth/0.5.9/values.yaml index 1af25f9a..b8d8cc4b 100644 --- a/sources/cluster-auth/0.5.9/values.yaml +++ b/sources/cluster-auth/0.5.9/values.yaml @@ -3,7 +3,7 @@ replicaCount: 1 image: repository: ghcr.io/silogen/cluster-auth pullPolicy: Always - tag: "0.5.9-rc1" + tag: "0.5.9-rc2" imagePullSecrets: [] nameOverride: "" @@ -85,7 +85,7 @@ config: openbao: address: "http://openbao.cf-openbao.svc.cluster.local:8200" token: "${OPENBAO_TOKEN}" - cacheTTL: "15m" + cacheTTL: "10s" - type: bearer name: fallback-bearer enabled: false From 46b176a73d011e8dacb0e259069d15654ea71cf1 Mon Sep 17 00:00:00 2001 From: Daniel Vaskivaara Date: Thu, 7 May 2026 15:16:26 +0300 Subject: [PATCH 3/4] fix: point to correct image version and align cacheTTL --- sources/cluster-auth/0.5.9/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sources/cluster-auth/0.5.9/values.yaml b/sources/cluster-auth/0.5.9/values.yaml index b8d8cc4b..2d300fd1 100644 --- a/sources/cluster-auth/0.5.9/values.yaml +++ b/sources/cluster-auth/0.5.9/values.yaml @@ -3,7 +3,7 @@ replicaCount: 1 image: repository: ghcr.io/silogen/cluster-auth pullPolicy: Always - tag: "0.5.9-rc2" + tag: "0.5.9" imagePullSecrets: [] nameOverride: "" @@ -85,7 +85,7 @@ config: openbao: address: "http://openbao.cf-openbao.svc.cluster.local:8200" token: "${OPENBAO_TOKEN}" - cacheTTL: "10s" + cacheTTL: "5m" - type: bearer name: fallback-bearer enabled: false From 381a5df77addbc285cca847dc23add0ab3d660b0 Mon Sep 17 00:00:00 2001 From: Daniel Vaskivaara Date: Thu, 7 May 2026 15:23:25 +0300 Subject: [PATCH 4/4] fix(sbom): sync after cluster-auth image bump --- sbom/components.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sbom/components.yaml b/sbom/components.yaml index 0ed507dd..9196a894 100644 --- a/sbom/components.yaml +++ b/sbom/components.yaml @@ -97,7 +97,7 @@ components: license: Apache License 2.0 licenseUrl: https://github.com/cert-manager/cert-manager/blob/master/LICENSE cluster-auth: - path: cluster-auth/0.5.0 + path: cluster-auth/0.5.9 valuesFile: values.yaml sourceUrl: https://github.com/silogen/cluster-forge/tree/main/sources/cluster-auth projectUrl: https://github.com/silogen/cluster-forge/tree/main/sources/cluster-auth @@ -246,7 +246,6 @@ components: projectUrl: https://github.com/openbao/openbao license: Mozilla Public License 2.0 licenseUrl: https://github.com/openbao/openbao/blob/main/LICENSE - opentelemetry-operator: path: opentelemetry-operator/0.93.1 sourceUrl: https://open-telemetry.github.io/opentelemetry-helm-charts