Merge branch 'main' into jme/LFXV2-325

Signed-off-by: Jordan Evans <jevans@linuxfoundation.org>

Author: jordane

charts/lfx-platform/Chart.lock

@@ -19,10 +19,10 @@ dependencies:
   version: 0.25.2
 - name: authelia
   repository: https://charts.authelia.com
-  version: 0.10.42
+  version: 0.10.44
 - name: nack
   repository: https://nats-io.github.io/k8s/helm/charts/
-  version: 0.29.1
+  version: 0.29.2
 - name: fga-operator
   repository: https://3schwartz.github.io/fga-operator/
   version: 1.0.0
@@ -34,18 +34,18 @@ dependencies:
   version: v0.18.0
 - name: lfx-v2-query-service
   repository: oci://ghcr.io/linuxfoundation/lfx-v2-query-service/chart
-  version: 0.2.3
+  version: 0.2.4
 - name: lfx-v2-project-service
   repository: oci://ghcr.io/linuxfoundation/lfx-v2-project-service/chart
-  version: 0.4.2
+  version: 0.4.3
 - name: lfx-v2-fga-sync
   repository: oci://ghcr.io/linuxfoundation/lfx-v2-fga-sync/chart
   version: 0.2.1
 - name: lfx-v2-access-check
   repository: oci://ghcr.io/linuxfoundation/lfx-v2-access-check/chart
-  version: 0.2.1
+  version: 0.2.2
 - name: lfx-v2-indexer-service
   repository: oci://ghcr.io/linuxfoundation/lfx-v2-indexer-service/chart
-  version: 0.2.0
-digest: sha256:a4308bf013728b0d0114c4b3eb0f4eeda5713c241d5fa37e4ddfcfc850773159
-generated: "2025-08-19T15:22:38.814964-07:00"
+  version: 0.4.1
+digest: sha256:5d3f71f046ccac29a00cddb34dd9472a57a1c38fc1d92f8e5e784abd61616b80
+generated: "2025-09-08T11:05:46.092768-07:00"

charts/lfx-platform/Chart.yaml

@@ -5,7 +5,7 @@ apiVersion: v2
 name: lfx-platform
 description: LFX Platform v2 Helm chart
 type: application
-version: 0.2.3
+version: 0.2.9
 icon: https://github.com/linuxfoundation/lfx-v2-helm/raw/main/img/lfx-logo-color.svg
 dependencies:
   - name: traefik
@@ -54,21 +54,21 @@ dependencies:
     condition: trustManagerEnabled
   - name: lfx-v2-query-service
     repository: oci://ghcr.io/linuxfoundation/lfx-v2-query-service/chart
-    version: ~0.2.2
+    version: ~0.2.3
     condition: lfx-v2-query-service.enabled
   - name: lfx-v2-project-service
     repository: oci://ghcr.io/linuxfoundation/lfx-v2-project-service/chart
-    version: ~0.4.0
+    version: ~0.4.2
     condition: lfx-v2-project-service.enabled
   - name: lfx-v2-fga-sync
     repository: oci://ghcr.io/linuxfoundation/lfx-v2-fga-sync/chart
-    version: ~0.2.0
+    version: ~0.2.1
     condition: lfx-v2-fga-sync.enabled
   - name: lfx-v2-access-check
     repository: oci://ghcr.io/linuxfoundation/lfx-v2-access-check/chart
-    version: ~0.2.1
+    version: ~0.2.2
     condition: lfx-v2-access-check.enabled
   - name: lfx-v2-indexer-service
     repository: oci://ghcr.io/linuxfoundation/lfx-v2-indexer-service/chart
-    version: ~0.2.0
+    version: ~0.4.0
     condition: lfx-v2-indexer-service.enabled

charts/lfx-platform/templates/heimdall/middleware.yaml

@@ -1,8 +1,28 @@
 # Copyright The Linux Foundation and each contributor to LFX.
 # SPDX-License-Identifier: MIT
----
 {{ if and .Values.heimdall.enabled (or
   .Values.gateway.enabled .Values.lfx.parentGateway.enabled) -}}
+---
+# Heimdall middleware with body forwarding capability
+# This is the default middleware that should be used in most cases, particularly 
+# when parentRef requiring authentication is in the request body.
+# Note: For routes handling very large payloads (like file uploads), consider using 
+# the lighter-weight middleware below to reduce overhead.
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: heimdall-forward-body
+  namespace: {{ .Release.Namespace }}
+spec:
+  forwardAuth:
+    address: "http://{{ include "heimdall.fullname" .Subcharts.heimdall }}.{{ .Release.Namespace }}:{{ .Values.heimdall.service.main.port }}"
+    authResponseHeaders:
+      - Authorization
+    forwardBody: true
+---
+# Alternative Heimdall middleware without body forwarding
+# Use this middleware only for routes where body inspection isn't required for authentication
+# and when dealing with large payloads where forwarding the entire body would be inefficient.
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:

charts/lfx-platform/templates/openfga/model.yaml

@@ -11,10 +11,17 @@ metadata:
     app.kubernetes.io/component: openfga
 spec:
   instances:
+{{/*
+  Each change to the authorization model should be accompanied by a version bump.
+  These are the recommended guidelines for versioning:
+    - major: Modifications, deletions, or additions of type
+    - minor: Additions or deletions of relations
+    - patch: Modifications of define
+*/}}
     - version:
-        major: 1
-        minor: 2
-        patch: 1
+        major: 4
+        minor: 1
+        patch: 0
       authorizationModel: |
         model
           schema 1.1
@@ -40,17 +47,38 @@ spec:
           relations
             define member: [user]
             define project: [project]
-            define writer: writer from project
-            define auditor: auditor from project or meeting_coordinator from project
+            define owner: [user, team#member]
+            define writer: [user] or owner or writer from project
+            define auditor: [user, team#member] or auditor from project or meeting_coordinator from project
+            define viewer: [user:*] or auditor or auditor from project
+
+        type groupsio_service
+          relations
+            define project: [project]
+            define owner: owner from project
+            define writer: writer from project or owner
+            define auditor: auditor from project or writer
             define viewer: [user:*] or auditor from project
 
+        type groupsio_mailing_list
+          relations
+            define groupsio_service: [groupsio_service]  # Parent relationship
+            define project: project from groupsio_service # Inherit project permissions
+            define committee: [committee] # Inherit committee permissions
+            define owner: owner from groupsio_service or owner from committee
+            define writer: writer from groupsio_service or writer from committee
+            define auditor: auditor from groupsio_service or auditor from committee
+            define viewer: viewer from groupsio_service or member from committee
+
         type meeting
           relations
             define project: [project]
             define committee: [committee]
+            # The auditor relation identifies a user who can audit this meeting.
+            define auditor: auditor from project
             # The organizer relation identifies a user who can manage this one meeting.
             # That means they can update the meeting details, invite/uninvite participants, etc.
-            define organizer: [user] or meeting_coordinator from project or writer from project
+            define organizer: [user] or meeting_coordinator from project or writer from committee or writer from project
             # The host relation identifies a user who is a host of this meeting.
             # This is different than the organizer relation because an organizer isn't necessarily
             # the user who is hosting the meeting, nor is the host necessarily the one who is
@@ -68,5 +96,29 @@ spec:
             # The viewer relation identifies a user who can view this meeting.
             # If the meeting is public, then any user can view it; but if it is private, then
             # only certain privileged users can view it.
-            define viewer: [user:*] or participant or organizer or auditor from project
+            define viewer: [user:*] or participant or organizer or auditor
+
+          type past_meeting
+          relations
+            define project: [project]
+            define committee: [committee]
+            # The meeting relation identifies the meeting that this past meeting was created from.
+            # Note: it is possible that the meeting no longer exists, so having permissions on the
+            # meeting become obsolete if the meeting is deleted.
+            define meeting: [meeting]
+            # The auditor relation identifies a user who can audit this meeting.
+            define auditor: auditor from project or auditor from meeting
+            # The organizer relation identifies a user who can manage this one past meeting.
+            # That means they can update the past meeting details, update the participants, etc.
+            define organizer: [user] or meeting_coordinator from project or writer from project or organizer from meeting
+            # The host relation identifies a user who was a host of this past meeting.
+            define host: [user] or organizer
+            # The invitee relation identifies a participant who was invited to this past meeting.
+            define invitee: [user]
+            # The attendee relation identifies a participant who attended this past meeting.
+            define attendee: [user]
+            # The viewer relation identifies a user who can view this past meeting.
+            # If the past meeting is public, then any user can view it; but if it is private, then
+            # only certain privileged users can view it.
+            define viewer: [user:*] or attendee or invitee or organizer or auditor
 {{- end }}

charts/lfx-platform/values.yaml

@@ -209,6 +209,13 @@ heimdall:
         type: allow
       - id: deny_all
         type: deny
+      - id: json_content_type
+        type: cel
+        config:
+          expressions:
+            - expression: |
+                Request.Header("Content-Type") == "application/json"
+              message: "Content-Type must be application/json"
       - id: openfga_check
         type: remote
         config: