Merge branch 'main' into feat/lfxv2-249-committee-model-writer-auditor

mauriciozanettisalomao · web-flow · commit 660adb319049 · 2025-09-01T09:39:20.000-03:00
diff --git a/charts/lfx-platform/Chart.yaml b/charts/lfx-platform/Chart.yaml
@@ -5,7 +5,7 @@ apiVersion: v2
 name: lfx-platform
 description: LFX Platform v2 Helm chart
 type: application
-version: 0.2.6
+version: 0.2.7
 icon: https://github.com/linuxfoundation/lfx-v2-helm/raw/main/img/lfx-logo-color.svg
 dependencies:
   - name: traefik
diff --git a/charts/lfx-platform/templates/heimdall/middleware.yaml b/charts/lfx-platform/templates/heimdall/middleware.yaml
@@ -1,8 +1,28 @@
 # Copyright The Linux Foundation and each contributor to LFX.
 # SPDX-License-Identifier: MIT
----
 {{ if and .Values.heimdall.enabled (or
   .Values.gateway.enabled .Values.lfx.parentGateway.enabled) -}}
+---
+# Heimdall middleware with body forwarding capability
+# This is the default middleware that should be used in most cases, particularly 
+# when parentRef requiring authentication is in the request body.
+# Note: For routes handling very large payloads (like file uploads), consider using 
+# the lighter-weight middleware below to reduce overhead.
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: heimdall-forward-body
+  namespace: {{ .Release.Namespace }}
+spec:
+  forwardAuth:
+    address: "http://{{ include "heimdall.fullname" .Subcharts.heimdall }}.{{ .Release.Namespace }}:{{ .Values.heimdall.service.main.port }}"
+    authResponseHeaders:
+      - Authorization
+    forwardBody: true
+---
+# Alternative Heimdall middleware without body forwarding
+# Use this middleware only for routes where body inspection isn't required for authentication
+# and when dealing with large payloads where forwarding the entire body would be inefficient.
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
diff --git a/charts/lfx-platform/values.yaml b/charts/lfx-platform/values.yaml
@@ -192,6 +192,13 @@ heimdall:
         type: allow
       - id: deny_all
         type: deny
+      - id: json_content_type
+        type: cel
+        config:
+          expressions:
+            - expression: |
+                Request.Header("Content-Type") == "application/json"
+              message: "Content-Type must be application/json"
       - id: openfga_check
         type: remote
         config:
