Merge pull request #12 from linuxfoundation/jme/LFXV2-432

jordane · web-flow · commit bce0560f275a · 2025-09-04T12:15:31.000-07:00
add heimdall middleware
diff --git a/.github/workflows/ko-build-tag.yaml b/.github/workflows/ko-build-tag.yaml
@@ -3,7 +3,7 @@
 ---
 name: Publish Tagged Release
 
-on:
+"on":
   push:
     tags:
       - v*
@@ -28,7 +28,7 @@ jobs:
       chart_version: ${{ steps.prepare.outputs.chart_version }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4
 
       - name: Prepare versions and chart name
         id: prepare
@@ -75,11 +75,12 @@ jobs:
       image_name: ${{ steps.publish-ghcr.outputs.image_name }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4
 
       - name: Publish Chart to GHCR
         id: publish-ghcr
-        uses: linuxfoundation/lfx-public-workflows/.github/actions/helm-chart-oci-publisher@c465d6571fa0b8be9d551d902955164ea04a00af # main
+        # yamllint disable-line rule:line-length
+        uses: linuxfoundation/lfx-public-workflows/.github/actions/helm-chart-oci-publisher@c465d6571fa0b8be9d551d902955164ea04a00af  # main
         with:
           name: ${{ needs.publish.outputs.chart_name }}
           repository: ${{ github.repository }}/chart
@@ -90,12 +91,12 @@ jobs:
           registry_password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159  # v3.9.2
         with:
           cosign-release: "${{ env.COSIGN_VERSION }}"
 
       - name: Login to GitHub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772  # v3.4.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
diff --git a/.github/workflows/license-header-check.yml b/.github/workflows/license-header-check.yml
@@ -12,6 +12,7 @@ permissions:
 jobs:
   license-header-check:
     name: License Header Check
+    # yamllint disable-line rule:line-length
     uses: linuxfoundation/lfx-public-workflows/.github/workflows/license-header-check.yml@c465d6571fa0b8be9d551d902955164ea04a00af
     with:
       copyright_line: "Copyright The Linux Foundation and each contributor to LFX."
diff --git a/charts/lfx-v2-query-service/Chart.yaml b/charts/lfx-v2-query-service/Chart.yaml
@@ -5,5 +5,5 @@ apiVersion: v2
 name: lfx-v2-query-service
 description: LFX Platform V2 Query Service chart
 type: application
-version: 0.2.3
+version: 0.2.4
 appVersion: "latest"
diff --git a/charts/lfx-v2-query-service/templates/heimdall-middleware.yaml b/charts/lfx-v2-query-service/templates/heimdall-middleware.yaml
@@ -0,0 +1,35 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+{{ if .Values.heimdall.add_middleware }}
+---
+# Heimdall middleware with body forwarding capability
+# This is the default middleware that should be used in most cases, particularly
+# when parentRef requiring authentication is in the request body.
+# Note: For routes handling very large payloads (like file uploads), consider using
+# the lighter-weight middleware below to reduce overhead.
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: heimdall-forward-body
+  namespace: {{ .Release.Namespace }}
+spec:
+  forwardAuth:
+    address: "{{ .Values.heimdall.url }}"
+    authResponseHeaders:
+      - Authorization
+    forwardBody: true
+---
+# Alternative Heimdall middleware without body forwarding
+# Use this middleware only for routes where body inspection isn't required for authentication
+# and when dealing with large payloads where forwarding the entire body would be inefficient.
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: heimdall
+  namespace: {{ .Release.Namespace }}
+spec:
+  forwardAuth:
+    address: "{{ .Values.heimdall.url }}"
+    authResponseHeaders:
+      - Authorization
+{{- end }}
diff --git a/charts/lfx-v2-query-service/values.yaml b/charts/lfx-v2-query-service/values.yaml
@@ -53,6 +53,8 @@ heimdall:
   # enabled is a boolean to determine if the heimdall middleware is enabled
   # If disabled, there will be no authorization check on the query routes
   enabled: true
+  add_middleware: false
+  url: http://lfx-platform-heimdall.lfx.svc.cluster.local:4456
 
 # secret is the configuration for the Kubernetes Secret
 secret:
