Merge branch 'main' into bramwelt/additional-services

bramwelt · bramwelt · commit 6cf4f10e15db · 2025-10-07T14:50:05.000-07:00
Signed-off-by: Trevor Bramwell &lt;tbramwell@linuxfoundation.org&gt;
diff --git a/.cspell.json b/.cspell.json
@@ -9,6 +9,7 @@
     "contextualizers",
     "crds",
     "dadrus",
+    "daemonset",
     "dbname",
     "finalizer",
     "gelf",
diff --git a/charts/lfx-platform/Chart.lock b/charts/lfx-platform/Chart.lock
@@ -4,7 +4,7 @@ dependencies:
   version: 36.2.0
 - name: openfga
   repository: https://openfga.github.io/helm-charts
-  version: 0.2.43
+  version: 0.2.44
 - name: heimdall
   repository: oci://ghcr.io/dadrus/heimdall/chart
   version: 0.15.8
@@ -34,10 +34,10 @@ dependencies:
   version: v0.18.0
 - name: lfx-v2-query-service
   repository: oci://ghcr.io/linuxfoundation/lfx-v2-query-service/chart
-  version: 0.4.4
+  version: 0.4.7
 - name: lfx-v2-project-service
   repository: oci://ghcr.io/linuxfoundation/lfx-v2-project-service/chart
-  version: 0.4.3
+  version: 0.4.6
 - name: lfx-v2-fga-sync
   repository: oci://ghcr.io/linuxfoundation/lfx-v2-fga-sync/chart
   version: 0.2.3
@@ -46,15 +46,15 @@ dependencies:
   version: 0.2.3
 - name: lfx-v2-indexer-service
   repository: oci://ghcr.io/linuxfoundation/lfx-v2-indexer-service/chart
-  version: 0.2.0
+  version: 0.4.4
 - name: lfx-v2-committee-service
   repository: oci://ghcr.io/linuxfoundation/lfx-v2-committee-service/chart
   version: 0.1.1
 - name: lfx-v2-meeting-service
   repository: oci://ghcr.io/linuxfoundation/lfx-v2-meeting-service/chart
-  version: 0.4.3
+  version: 0.1.1
 - name: lfx-v2-auth-service
   repository: oci://ghcr.io/linuxfoundation/lfx-v2-auth-service/chart
-  version: 0.1.1
-digest: sha256:5694f4680e1a9e638879d26fbfa8a3ca219e07894971253ded7f302a402db88f
-generated: "2025-09-25T08:36:20.482743-03:00"
+  version: 0.2.5
+digest: sha256:762d9c09282b2130f84066a2ba188317a88d3922c3befa86db83ca695345490f
+generated: "2025-10-07T14:43:56.084279178-07:00"
diff --git a/charts/lfx-platform/Chart.yaml b/charts/lfx-platform/Chart.yaml
@@ -54,7 +54,7 @@ dependencies:
     condition: trustManagerEnabled
   - name: lfx-v2-query-service
     repository: oci://ghcr.io/linuxfoundation/lfx-v2-query-service/chart
-    version: ~0.4.4
+    version: ~0.4.6
     condition: lfx-v2-query-service.enabled
   - name: lfx-v2-project-service
     repository: oci://ghcr.io/linuxfoundation/lfx-v2-project-service/chart
@@ -70,7 +70,7 @@ dependencies:
     condition: lfx-v2-access-check.enabled
   - name: lfx-v2-indexer-service
     repository: oci://ghcr.io/linuxfoundation/lfx-v2-indexer-service/chart
-    version: ~0.4.1
+    version: ~0.4.4
     condition: lfx-v2-indexer-service.enabled
   - name: lfx-v2-committee-service
     repository: oci://ghcr.io/linuxfoundation/lfx-v2-committee-service/chart
@@ -82,5 +82,5 @@ dependencies:
     condition: lfx-v2-meeting-service.enabled
   - name: lfx-v2-auth-service
     repository: oci://ghcr.io/linuxfoundation/lfx-v2-auth-service/chart
-    version: ~0.1.0
+    version: ~0.2.2
     condition: lfx-v2-auth-service.enabled
diff --git a/charts/lfx-platform/templates/mailpit/https-redirect-httproute.yaml b/charts/lfx-platform/templates/mailpit/https-redirect-httproute.yaml
@@ -1,7 +1,7 @@
 # Copyright The Linux Foundation and each contributor to LFX.
 # SPDX-License-Identifier: MIT
 ---
-{{ if and .Values.mailpit.enabled (include "lfx-platform.https-enabled" .) (or
+{{ if and .Values.mailpit.enabled (eq (include "lfx-platform.https-enabled" .) "true") (or
   .Values.gateway.enabled .Values.lfx.parentGateway.enabled) -}}
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
diff --git a/charts/lfx-platform/templates/openfga/model.yaml b/charts/lfx-platform/templates/openfga/model.yaml
@@ -19,9 +19,9 @@ spec:
     - patch: Modifications of define
 */}}
     - version:
-        major: 4
+        major: 5
         minor: 3
-        patch: 1
+        patch: 2
       authorizationModel: |
         model
           schema 1.1
@@ -107,7 +107,7 @@ spec:
             # meeting become obsolete if the meeting is deleted.
             define meeting: [meeting]
             # The auditor relation identifies a user who can audit this meeting.
-            define auditor: auditor from project or auditor from meeting
+            define auditor: organizer or auditor from project or auditor from meeting
             # The organizer relation identifies a user who can manage this one past meeting.
             # That means they can update the past meeting details, update the participants, etc.
             define organizer: [user] or meeting_coordinator from project or writer from project or organizer from meeting
@@ -121,4 +121,73 @@ spec:
             # If the past meeting is public, then any user can view it; but if it is private, then
             # only certain privileged users can view it.
             define viewer: [user:*] or attendee or invitee or organizer or auditor
+
+          # The past_meeting_recording type identifies a recording of a past meeting.
+          # Access to a recording is limited to one of the following groups:
+          # - Only meeting hosts
+          # - Only meeting participants
+          # - Public (anyone)
+          type past_meeting_recording
+          relations
+            define past_meeting: [past_meeting]
+            define writer: organizer from past_meeting
+            define auditor: auditor from past_meeting
+            define host: host from past_meeting
+            define participant: invitee from past_meeting or attendee from past_meeting
+            # The viewer relation needs to be kept up-to-date separately from the other relations
+            # because it depends on the past meeting artifact_visibility setting. Auditors and writers
+            # do however by default have access to view the recording.
+            #
+            # If the artifact_visibility is public, then every user should be a viewer
+            # If it is set to only meeting participants, then only the meeting participants
+            # should be able to view the recording.
+            # If it is set to only meeting hosts, then only the meeting hosts should be able
+            # to view the recording.
+            define viewer: [user:*] or writer or auditor
+
+          # The past_meeting_transcript type identifies a transcript of a past meeting.
+          # Access to a transcript is limited to one of the following groups:
+          # - Only meeting hosts
+          # - Only meeting participants
+          # - Public (anyone)
+          type past_meeting_transcript
+          relations
+            define past_meeting: [past_meeting]
+            define writer: organizer from past_meeting
+            define auditor: auditor from past_meeting
+            define host: host from past_meeting
+            define participant: invitee from past_meeting or attendee from past_meeting
+            # The viewer relation needs to be kept up-to-date separately from the other relations
+            # because it depends on the past meeting artifact_visibility setting. Auditors and writers
+            # do however by default have access to view the transcript.
+            #
+            # If the artifact_visibility is public, then every user should be a viewer
+            # If it is set to only meeting participants, then only the meeting participants
+            # should be able to view the transcript.
+            # If it is set to only meeting hosts, then only the meeting hosts should be able
+            # to view the transcript.
+            define viewer: [user:*] or writer or auditor
+
+          # The past_meeting_summary type identifies a summary of a past meeting.
+          # Access to a summary is limited to one of the following groups:
+          # - Only meeting hosts
+          # - Only meeting participants
+          # - Public (anyone)
+          type past_meeting_summary
+          relations
+            define past_meeting: [past_meeting]
+            define writer: organizer from past_meeting
+            define auditor: auditor from past_meeting
+            define host: host from past_meeting
+            define participant: invitee from past_meeting or attendee from past_meeting
+            # The viewer relation needs to be kept up-to-date separately from the other relations
+            # because it depends on the past meeting artifact_visibility setting. Auditors and writers
+            # do however by default have access to view the summary.
+            #
+            # If the artifact_visibility is public, then every user should be a viewer
+            # If it is set to only meeting participants, then only the meeting participants
+            # should be able to view the summary.
+            # If it is set to only meeting hosts, then only the meeting hosts should be able
+            # to view the summary.
+            define viewer: [user:*] or writer or auditor
 {{- end }}
diff --git a/charts/lfx-platform/values.yaml b/charts/lfx-platform/values.yaml
@@ -553,3 +553,22 @@ lfx-v2-auth-service:
   enabled: true
   lfx:
     domain: k8s.orb.local
+  app:
+    environment:
+      # Repository type for user management
+      # It can be authelia, auth0 or mock
+      # In case of auth0, please refer to the following documentation
+      ## https://github.com/linuxfoundation/lfx-v2-auth-service?tab=readme-ov-file#auth0-configuration
+      USER_REPOSITORY_TYPE:
+        value: mock
+      # Authelia configuration
+      ## Required when using "authelia" repository type
+      ## For more information, see the [Local Development Support documentation](https://github.com/linuxfoundation/lfx-v2-auth-service/blob/main/README.md#local-development-support)
+      AUTHELIA_CONFIGMAP_NAME:
+        value: authelia-users
+      AUTHELIA_CONFIGMAP_NAMESPACE:
+        value: lfx
+      AUTHELIA_DAEMONSET_NAME:
+        value: lfx-platform-authelia
+      AUTHELIA_SECRET_NAME:
+        value: authelia-users
