Merge branch 'main' into bramwelt/fix-https-redirects

Author: bramwelt

.cspell.json

@@ -4,6 +4,7 @@
   "words": [
     "aquasecurity",
     "authelia",
+    "clearbit",
     "contextualizer",
     "contextualizers",
     "crds",
@@ -27,6 +28,7 @@
     "sslmode",
     "subchart",
     "subcharts",
+    "swaggerapi",
     "tcsh",
     "totp",
     "traefik",

.github/workflows/mega-linter.yml

@@ -29,6 +29,20 @@ jobs:
         with:
           fetch-depth: 0
 
+      # Installs packaged subcharts under charts/*/charts/*.tgz. Also
+      # fails if the Chart.lock digest is wrong.
+      - name: Helm dependency fetch
+        shell: bash
+        run: |
+          set -euo pipefail
+          for chart in charts/*; do
+            if [ -f "${chart}/Chart.lock" ]; then
+              yq -r '.dependencies[] | select(.repository | contains("oci://") == false) | "\(.name) \(.repository)"' \
+                "${chart}/Chart.yaml" | xargs -L1 helm repo add --force-update
+              helm dependency build "${chart}"
+            fi
+          done
+
       # MegaLinter
       - name: MegaLinter
         id: ml

.github/workflows/release.yaml

@@ -43,7 +43,7 @@ jobs:
 
       - name: Publish Chart to GHCR
         id: publish-ghcr
-        uses: linuxfoundation/lfx-public-workflows/.github/actions/helm-chart-oci-publisher@a5d0271f539e3f69194cca94d9884914c3be088b
+        uses: linuxfoundation/lfx-public-workflows/.github/actions/helm-chart-oci-publisher@e619121ece4ca4b1d6c89ade032f26105505756d
         with:
           name: ${{ steps.prepare.outputs.chart_name }}
           repository: ${{ github.repository }}/chart

.mega-linter.yml

@@ -37,5 +37,3 @@ SPELL_VALE_PRE_COMMANDS:
 FILTER_REGEX_EXCLUDE: '(templates/.*\.yml|templates/.*\.yaml)'
 KUBERNETES_DIRECTORY: charts/lfx-platform
 KUBERNETES_HELM_ARGUMENTS: charts/lfx-platform
-KUBERNETES_HELM_PRE_COMMANDS:
-  - command: helm dependency update charts/lfx-platform

charts/lfx-platform/Chart.lock

@@ -1,16 +1,16 @@
 dependencies:
 - name: traefik
-  repository: https://traefik.github.io/charts
+  repository: oci://ghcr.io/traefik/helm
   version: 36.2.0
 - name: openfga
   repository: https://openfga.github.io/helm-charts
-  version: 0.2.39
+  version: 0.2.43
 - name: heimdall
-  repository: https://dadrus.github.io/heimdall/charts
+  repository: oci://ghcr.io/dadrus/heimdall/chart
   version: 0.15.8
 - name: nats
   repository: https://nats-io.github.io/k8s/helm/charts/
-  version: 1.3.10
+  version: 1.3.14
 - name: opensearch
   repository: https://opensearch-project.github.io/helm-charts/
   version: 2.34.0
@@ -19,10 +19,10 @@ dependencies:
   version: 0.25.2
 - name: authelia
   repository: https://charts.authelia.com
-  version: 0.10.41
+  version: 0.10.46
 - name: nack
   repository: https://nats-io.github.io/k8s/helm/charts/
-  version: 0.29.1
+  version: 0.29.2
 - name: fga-operator
   repository: https://3schwartz.github.io/fga-operator/
   version: 1.0.0
@@ -32,5 +32,23 @@ dependencies:
 - name: trust-manager
   repository: https://charts.jetstack.io
   version: v0.18.0
-digest: sha256:591a323ff20b90c4b50fd92c63788e91d7e08ff2606f155af26e38527680a84d
-generated: "2025-08-06T11:35:55.1914-07:00"
+- name: lfx-v2-query-service
+  repository: oci://ghcr.io/linuxfoundation/lfx-v2-query-service/chart
+  version: 0.4.6
+- name: lfx-v2-project-service
+  repository: oci://ghcr.io/linuxfoundation/lfx-v2-project-service/chart
+  version: 0.4.3
+- name: lfx-v2-fga-sync
+  repository: oci://ghcr.io/linuxfoundation/lfx-v2-fga-sync/chart
+  version: 0.2.3
+- name: lfx-v2-access-check
+  repository: oci://ghcr.io/linuxfoundation/lfx-v2-access-check/chart
+  version: 0.2.3
+- name: lfx-v2-indexer-service
+  repository: oci://ghcr.io/linuxfoundation/lfx-v2-indexer-service/chart
+  version: 0.4.4
+- name: lfx-v2-auth-service
+  repository: oci://ghcr.io/linuxfoundation/lfx-v2-auth-service/chart
+  version: 0.2.1
+digest: sha256:4910bb2ac9c059bb3e4beb5067ba6bcca6e7f9b2c76ce91897a7e68d85c680d6
+generated: "2025-09-29T12:29:27.911893-03:00"

charts/lfx-platform/Chart.yaml

@@ -5,19 +5,19 @@ apiVersion: v2
 name: lfx-platform
 description: LFX Platform v2 Helm chart
 type: application
-version: 0.1.10
+version: 0.2.18
 icon: https://github.com/linuxfoundation/lfx-v2-helm/raw/main/img/lfx-logo-color.svg
 dependencies:
   - name: traefik
-    repository: https://traefik.github.io/charts
+    repository: oci://ghcr.io/traefik/helm
     version: ~36.2.0
     condition: traefik.enabled
   - name: openfga
     repository: https://openfga.github.io/helm-charts
     version: ~0.2.37
     condition: openfga.enabled
   - name: heimdall
-    repository: https://dadrus.github.io/heimdall/charts
+    repository: oci://ghcr.io/dadrus/heimdall/chart
     version: ~0.15.6
     condition: heimdall.enabled
   - name: nats
@@ -52,3 +52,27 @@ dependencies:
     repository: https://charts.jetstack.io
     version: ~0.18.0
     condition: trustManagerEnabled
+  - name: lfx-v2-query-service
+    repository: oci://ghcr.io/linuxfoundation/lfx-v2-query-service/chart
+    version: ~0.4.6
+    condition: lfx-v2-query-service.enabled
+  - name: lfx-v2-project-service
+    repository: oci://ghcr.io/linuxfoundation/lfx-v2-project-service/chart
+    version: ~0.4.3
+    condition: lfx-v2-project-service.enabled
+  - name: lfx-v2-fga-sync
+    repository: oci://ghcr.io/linuxfoundation/lfx-v2-fga-sync/chart
+    version: ~0.2.3
+    condition: lfx-v2-fga-sync.enabled
+  - name: lfx-v2-access-check
+    repository: oci://ghcr.io/linuxfoundation/lfx-v2-access-check/chart
+    version: ~0.2.3
+    condition: lfx-v2-access-check.enabled
+  - name: lfx-v2-indexer-service
+    repository: oci://ghcr.io/linuxfoundation/lfx-v2-indexer-service/chart
+    version: ~0.4.4
+    condition: lfx-v2-indexer-service.enabled
+  - name: lfx-v2-auth-service
+    repository: oci://ghcr.io/linuxfoundation/lfx-v2-auth-service/chart
+    version: ~0.2.1
+    condition: lfx-v2-auth-service.enabled

charts/lfx-platform/templates/_traefik.tpl

@@ -8,8 +8,8 @@ Determine if HTTPS is enabled and get the HTTPS listener name in a single loop
 */}}
 {{- define "lfx-platform.https-enabled" -}}
 {{- $httpsEnabled := false -}}
-{{- if .Values.traefik.gateway.listeners -}}
-  {{- range $name, $listener := .Values.traefik.gateway.listeners -}}
+{{- if .Values.gateway.listeners -}}
+  {{- range $name, $listener := .Values.gateway.listeners -}}
     {{- if eq $listener.protocol "HTTPS" -}}
       {{- $httpsEnabled = true -}}
       {{- break -}}
@@ -24,8 +24,8 @@ Get the HTTPS listener name (sectionName) from gateway listeners
 */}}
 {{- define "lfx-platform.https-listener" -}}
 {{- $httpsListener := "websecure" -}}
-{{- if .Values.traefik.gateway.listeners -}}
-  {{- range $name, $listener := .Values.traefik.gateway.listeners -}}
+{{- if .Values.gateway.listeners -}}
+  {{- range $name, $listener := .Values.gateway.listeners -}}
     {{- if eq $listener.protocol "HTTPS" -}}
       {{- $httpsListener = $name -}}
       {{- break -}}
@@ -41,11 +41,11 @@ Prioritize "web" listener if it exists, otherwise use the first HTTP listener fo
 */}}
 {{- define "lfx-platform.http-listener" -}}
 {{- $httpListener := "web" -}}
-{{- if .Values.traefik.gateway.listeners -}}
-  {{- if index .Values.traefik.gateway.listeners "web" -}}
+{{- if .Values.gateway.listeners -}}
+  {{- if index .Values.gateway.listeners "web" -}}
     {{- $httpListener = "web" -}}
   {{- else -}}
-    {{- range $name, $listener := .Values.traefik.gateway.listeners -}}
+    {{- range $name, $listener := .Values.gateway.listeners -}}
       {{- if eq $listener.protocol "HTTP" -}}
         {{- $httpListener = $name -}}
         {{- break -}}