add heimdall middleware

jordane · jordane · commit d99de065b304 · 2025-09-04T10:12:00.000-07:00
This is needed if this service is installed in a namespace
that doesn't otherwise have the middleware, since there is no
current way to reference a middleware in the gateway api spec
outside of the current namespace.

Signed-off-by: Jordan Evans &lt;jevans@linuxfoundation.org&gt;
diff --git a/charts/lfx-v2-query-service/Chart.yaml b/charts/lfx-v2-query-service/Chart.yaml
@@ -5,5 +5,5 @@ apiVersion: v2
 name: lfx-v2-query-service
 description: LFX Platform V2 Query Service chart
 type: application
-version: 0.2.3
+version: 0.2.4
 appVersion: "latest"
diff --git a/charts/lfx-v2-query-service/templates/heimdall-middleware.yaml b/charts/lfx-v2-query-service/templates/heimdall-middleware.yaml
@@ -0,0 +1,35 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+{{ if .Values.heimdall.add_middleware }}
+---
+# Heimdall middleware with body forwarding capability
+# This is the default middleware that should be used in most cases, particularly
+# when parentRef requiring authentication is in the request body.
+# Note: For routes handling very large payloads (like file uploads), consider using
+# the lighter-weight middleware below to reduce overhead.
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: heimdall-forward-body
+  namespace: {{ .Release.Namespace }}
+spec:
+  forwardAuth:
+    address: "{{ .Values.heimdall.url }}"
+    authResponseHeaders:
+      - Authorization
+    forwardBody: true
+---
+# Alternative Heimdall middleware without body forwarding
+# Use this middleware only for routes where body inspection isn't required for authentication
+# and when dealing with large payloads where forwarding the entire body would be inefficient.
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: heimdall
+  namespace: {{ .Release.Namespace }}
+spec:
+  forwardAuth:
+    address: "{{ .Values.heimdall.url }}"
+    authResponseHeaders:
+      - Authorization
+{{- end }}
diff --git a/charts/lfx-v2-query-service/values.yaml b/charts/lfx-v2-query-service/values.yaml
@@ -53,6 +53,8 @@ heimdall:
   # enabled is a boolean to determine if the heimdall middleware is enabled
   # If disabled, there will be no authorization check on the query routes
   enabled: true
+  add_middleware: false
+  url: http://lfx-platform-heimdall.lfx.svc.cluster.local:4456
 
 # secret is the configuration for the Kubernetes Secret
 secret:
@@ -66,3 +68,4 @@ jwks:
   url: http://lfx-platform-heimdall:4457/.well-known/jwks
 jwt:
   signatureAlgorithm: PS256
+
