silogen · Q-Dub · May 7, 2026 · May 4, 2026 · May 5, 2026 · May 7, 2026
@@ -239,7 +239,7 @@ apps:
       installCRDs: true
   cluster-auth:
     namespace: cluster-auth
-    path: cluster-auth/0.5.0
+    path: cluster-auth/0.5.9
     syncWave: -25
     valuesFile: values.yaml
   cluster-auth-config:

@@ -97,7 +97,7 @@ components:
     license: Apache License 2.0
     licenseUrl: https://github.com/cert-manager/cert-manager/blob/master/LICENSE
   cluster-auth:
-    path: cluster-auth/0.5.0
+    path: cluster-auth/0.5.9
     valuesFile: values.yaml
     sourceUrl: https://github.com/silogen/cluster-forge/tree/main/sources/cluster-auth
     projectUrl: https://github.com/silogen/cluster-forge/tree/main/sources/cluster-auth
@@ -246,7 +246,6 @@ components:
     projectUrl: https://github.com/openbao/openbao
     license: Mozilla Public License 2.0
     licenseUrl: https://github.com/openbao/openbao/blob/main/LICENSE
-
   opentelemetry-operator:
     path: opentelemetry-operator/0.93.1
     sourceUrl: https://open-telemetry.github.io/opentelemetry-helm-charts

@@ -0,0 +1,20 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+.project
+.idea/
+*.tmproj
+.vscode/
@@ -0,0 +1,18 @@
+apiVersion: v2
+name: cluster-auth
+description: External authorization service for Kubernetes Gateway with OpenBao integration
+type: application
+version: 0.5.9
+appVersion: "0.5.9"
+keywords:
+  - envoy
+  - authorization
+  - openbao
+  - vault
+  - gateway-api
+  - kubernetes
+home: https://github.com/silogen/cluster-auth
+sources:
+  - https://github.com/silogen/cluster-auth
+maintainers:
+  - name: AMD EAI Platform Team
@@ -0,0 +1,61 @@
+Thank you for installing {{ .Chart.Name }}!
+
+Your release is named {{ .Release.Name }}.
+
+To verify the deployment:
+
+  kubectl get pods -n {{ .Values.namespace.name }} -l app.kubernetes.io/name={{ include "cluster-auth.name" . }}
+
+To check the logs:
+
+  kubectl logs -n {{ .Values.namespace.name }} -l app.kubernetes.io/name={{ include "cluster-auth.name" . }}
+
+To test the health endpoint:
+
+  kubectl port-forward -n {{ .Values.namespace.name }} svc/{{ include "cluster-auth.fullname" . }} 8080:{{ .Values.service.health.port }}
+  curl http://localhost:8080/health
+
+To access the REST API:
+
+  kubectl port-forward -n {{ .Values.namespace.name }} svc/{{ include "cluster-auth.fullname" . }} 8081:{{ .Values.service.restApi.port }}
+  curl -H "X-Admin-Token: <your-admin-token>" http://localhost:8081/apikey/groups | jq
+
+To access Prometheus metrics:
+
+  kubectl port-forward -n {{ .Values.namespace.name }} svc/{{ include "cluster-auth.fullname" . }} 9090:{{ .Values.service.metrics.port }}
+  curl http://localhost:9090/metrics
+
+{{- if not .Values.existingSecret }}
+
+WARNING: No existing secret configured!
+Please create a secret with OpenBao and admin tokens:
+
+  kubectl create secret generic cluster-auth-secrets \
+    --from-literal=openbao-token="<your-openbao-token>" \
+    --from-literal=admin-token="<your-admin-token>" \
+    --namespace={{ .Values.namespace.name }}
+
+Then update your values.yaml:
+  existingSecret: "cluster-auth-secrets"
+
+{{- end }}
+
+{{- if .Values.config.apikey.enabled }}
+
+API Key Management is enabled. Available endpoints:
+  - POST   /apikey/create  - Create API keys
+  - POST   /apikey/revoke  - Revoke API keys
+  - POST   /apikey/renew   - Renew API keys
+  - POST   /apikey/lookup  - Lookup API key metadata
+  - POST   /apikey/group   - Create groups
+  - DELETE /apikey/group   - Delete groups
+  - GET    /apikey/groups  - List all groups
+  - POST   /apikey/bind    - Bind key to group
+  - POST   /apikey/unbind  - Unbind key from group
+
+{{- end }}
+
+For more information, visit:
+  https://github.com/silogen/cluster-auth
+
+Happy authorizing!
@@ -0,0 +1,61 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cluster-auth.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+*/}}
+{{- define "cluster-auth.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cluster-auth.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "cluster-auth.labels" -}}
+helm.sh/chart: {{ include "cluster-auth.chart" . }}
+{{ include "cluster-auth.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "cluster-auth.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "cluster-auth.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app: cluster-auth
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "cluster-auth.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "cluster-auth.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
@@ -0,0 +1,10 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "cluster-auth.fullname" . }}
+  labels:
+    {{- include "cluster-auth.labels" . | nindent 4 }}
+rules:
+- apiGroups: ["gateway.networking.k8s.io"]
+  resources: ["httproutes"]
+  verbs: ["get", "list", "watch"]
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "cluster-auth.fullname" . }}
+  labels:
+    {{- include "cluster-auth.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "cluster-auth.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "cluster-auth.fullname" . }}
+  namespace: {{ .Values.namespace.name }}
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "cluster-auth.fullname" . }}-config
+  namespace: {{ .Values.namespace.name }}
+  labels:
+    {{- include "cluster-auth.labels" . | nindent 4 }}
+data:
+  config.yaml: |
+{{ toYaml .Values.config | indent 4 }}
+  policies.yaml: |
+{{ toYaml .Values.policies | indent 4 }}
@@ -0,0 +1,101 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "cluster-auth.fullname" . }}
+  namespace: {{ .Values.namespace.name }}
+  labels:
+    {{- include "cluster-auth.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "cluster-auth.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      labels:
+        {{- include "cluster-auth.selectorLabels" . | nindent 8 }}
+    spec:
+      serviceAccountName: {{ include "cluster-auth.fullname" . }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: {{ .Chart.Name }}
+        {{- with .Values.securityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        ports:
+        - name: grpc
+          containerPort: {{ .Values.service.grpc.port }}
+          protocol: TCP
+        - name: health
+          containerPort: {{ .Values.service.health.port }}
+          protocol: TCP
+        - name: rest-api
+          containerPort: {{ .Values.service.restApi.port }}
+          protocol: TCP
+        - name: metrics
+          containerPort: {{ .Values.service.metrics.port }}
+          protocol: TCP
+        args:
+        - "-config"
+        - "/etc/cluster-auth/config.yaml"
+        {{- if .Values.existingSecret }}
+        env:
+        - name: API_KEY_PREFIX
+          value: "amd_aim_api_key_"
+        - name: OPENBAO_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.existingSecret }}
+              key: openbao-token
+        - name: ADMIN_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.existingSecret }}
+              key: admin-token
+        {{- end }}
+        volumeMounts:
+        - name: config
+          mountPath: /etc/cluster-auth
+        {{- with .Values.livenessProbe }}
+        livenessProbe:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.readinessProbe }}
+        readinessProbe:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.resources }}
+        resources:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+      volumes:
+      - name: config
+        configMap:
+          name: {{ include "cluster-auth.fullname" . }}-config
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
@@ -0,0 +1,15 @@
+apiVersion: gateway.kgateway.dev/v1alpha1
+kind: GatewayExtension
+metadata:
+  name: {{ include "cluster-auth.fullname" . }}-extauth
+  namespace: kgateway-system
+  labels:
+    {{- include "cluster-auth.labels" . | nindent 4 }}
+spec:
+  type: ExtAuth
+  extAuth:
+    grpcService:
+      backendRef:
+        name: {{ include "cluster-auth.fullname" . }}
+        namespace: {{ .Values.namespace.name }}
+        port: {{ .Values.service.grpc.port }}
@@ -0,0 +1,15 @@
+apiVersion: gateway.kgateway.dev/v1alpha1
+kind: GatewayExtension
+metadata:
+  name: {{ include "cluster-auth.fullname" . }}-extauth
+  namespace: {{ .Values.namespace.name }}
+  labels:
+    {{- include "cluster-auth.labels" . | nindent 4 }}
+spec:
+  type: ExtAuth
+  extAuth:
+    grpcService:
+      backendRef:
+        name: {{ include "cluster-auth.fullname" . }}
+        namespace: {{ .Values.namespace.name }}
+        port: {{ .Values.service.grpc.port }}
@@ -0,0 +1,20 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "cluster-auth.fullname" . }}-restart-kgateway
+  namespace: {{ .Values.namespace.name }}
+spec:
+  template:
+    spec:
+      serviceAccountName: {{ include "cluster-auth.fullname" . }}-restart-kgateway-sa
+      containers:
+        - name: restart
+          image: bitnami/kubectl:latest
+          command:
+            - /bin/sh
+            - -c
+            - |
+              kubectl wait deployment {{ include "cluster-auth.fullname" . }} -n {{ .Values.namespace.name }} --for=condition=Available=True --timeout=180s
+              kubectl rollout restart deployment kgateway -n kgateway-system
+      restartPolicy: Never
@@ -0,0 +1,8 @@
+{{- if .Values.namespace.create -}}
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Values.namespace.name }}
+  labels:
+    {{- include "cluster-auth.labels" . | nindent 4 }}
+{{- end }}