From c6a457d8c8cccbaead11d3667e2d68b85de1fc2e Mon Sep 17 00:00:00 2001 From: Andreas Beuge Date: Fri, 6 Mar 2026 17:42:17 +0100 Subject: [PATCH 1/5] chore: extend securitypolicy with backendRef attribute --- parcellab/common/templates/_securitypolicies.tpl | 9 +++++++++ parcellab/microservice/values.yaml | 12 ++++++++++++ parcellab/monolith/values.yaml | 12 ++++++++++++ 3 files changed, 33 insertions(+) diff --git a/parcellab/common/templates/_securitypolicies.tpl b/parcellab/common/templates/_securitypolicies.tpl index 3e0666f..a5893ac 100644 --- a/parcellab/common/templates/_securitypolicies.tpl +++ b/parcellab/common/templates/_securitypolicies.tpl @@ -39,6 +39,7 @@ {{- $claimToHeaders := coalesce $policy.claimToHeaders $globalClaimHeaders -}} {{- $jwtProviderName := coalesce $policy.jwtProviderName $globalJwtProviderName "keycloak" -}} {{- $jwksURI := coalesce $policy.jwksURI $globalJwksURI (printf "%s/protocol/openid-connect/certs" $issuer) -}} +{{- $backendRefs := coalesce $policy.backendRefs $security.backendRefs -}} {{- $targetRef := $policy.targetRef -}} {{- $targetRefs := $policy.targetRefs -}} {{- $rawSelectors := list -}} @@ -84,6 +85,10 @@ spec: oidc: provider: issuer: {{ $issuer | quote }} + {{- with $backendRefs }} + backendRefs: + {{- toYaml . | nindent 8 }} + {{- end }} clientID: {{ $clientID | quote }} clientSecret: name: {{ $clientSecretName | quote }} @@ -104,6 +109,10 @@ spec: remoteJWKS: cacheDuration: 300s uri: {{ $jwksURI | quote }} + {{- with $backendRefs }} + backendRefs: + {{- toYaml . | nindent 12 }} + {{- end }} {{- with $claimToHeaders }} claimToHeaders: {{ toYaml . | nindent 8 }} diff --git a/parcellab/microservice/values.yaml b/parcellab/microservice/values.yaml index 65e740c..d2b61e6 100644 --- a/parcellab/microservice/values.yaml +++ b/parcellab/microservice/values.yaml @@ -116,6 +116,12 @@ envoy: # claimToHeaders: # - header: "x-user-email" # claim: "email" + # backendRefs: # optional: used by both oidc.provider and jwt.remoteJWKS to route to the IdP service directly + # - group: "" + # kind: Service + # name: keycloak + # namespace: keycloak + # port: 80 # policies: # - name: staff-only # targetRef: @@ -132,6 +138,12 @@ envoy: # - name: groups # valueType: StringArray # values: ["staff"] + # # backendRefs: # optional: overrides the global backendRefs above for this policy only + # # - group: "" + # # kind: Service + # # name: keycloak + # # namespace: keycloak + # # port: 80 ## ## Cronjob diff --git a/parcellab/monolith/values.yaml b/parcellab/monolith/values.yaml index 7929514..e6cfbad 100644 --- a/parcellab/monolith/values.yaml +++ b/parcellab/monolith/values.yaml @@ -145,12 +145,24 @@ envoy: # claimToHeaders: # - header: "x-user-email" # claim: "email" + # backendRefs: # optional: backend service for oidc.provider and jwt.remoteJWKS + # - group: "" # applies globally to all policies unless overridden per-policy + # kind: Service + # name: keycloak + # namespace: keycloak + # port: 80 # policies: # - name: staff-only # targetRef: # kind: HTTPRoute # name: my-default-route # group: "gateway.networking.k8s.io" + # backendRefs: # optional: overrides the global backendRefs above for this policy + # - group: "" + # kind: Service + # name: keycloak + # namespace: keycloak + # port: 80 # authorizationRules: # - name: member-of-staff-group # action: Allow From 02f50f765dd1c89f8223a6a3175eee450759c203 Mon Sep 17 00:00:00 2001 From: andibeuge <97287249+andibeuge@users.noreply.github.com> Date: Mon, 9 Mar 2026 09:40:35 +0100 Subject: [PATCH 2/5] Update parcellab/microservice/values.yaml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- parcellab/microservice/values.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/parcellab/microservice/values.yaml b/parcellab/microservice/values.yaml index d2b61e6..0b4dcc3 100644 --- a/parcellab/microservice/values.yaml +++ b/parcellab/microservice/values.yaml @@ -138,12 +138,12 @@ envoy: # - name: groups # valueType: StringArray # values: ["staff"] - # # backendRefs: # optional: overrides the global backendRefs above for this policy only - # # - group: "" - # # kind: Service - # # name: keycloak - # # namespace: keycloak - # # port: 80 + # backendRefs: # optional: overrides the global backendRefs above for this policy only + # - group: "" + # kind: Service + # name: keycloak + # namespace: keycloak + # port: 80 ## ## Cronjob From 167a5ce1dc435edf36cc9680a109e4d2cca0a4bd Mon Sep 17 00:00:00 2001 From: andibeuge <97287249+andibeuge@users.noreply.github.com> Date: Mon, 9 Mar 2026 09:40:42 +0100 Subject: [PATCH 3/5] Update parcellab/monolith/values.yaml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- parcellab/monolith/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/parcellab/monolith/values.yaml b/parcellab/monolith/values.yaml index e6cfbad..a291bfd 100644 --- a/parcellab/monolith/values.yaml +++ b/parcellab/monolith/values.yaml @@ -145,8 +145,8 @@ envoy: # claimToHeaders: # - header: "x-user-email" # claim: "email" - # backendRefs: # optional: backend service for oidc.provider and jwt.remoteJWKS - # - group: "" # applies globally to all policies unless overridden per-policy + # backendRefs: # optional: backend service for oidc.provider and jwt.remoteJWKS; applies globally to all policies unless overridden per-policy + # - group: "" # kind: Service # name: keycloak # namespace: keycloak From c87ac6ad75268cf06eca33074e4f1df2d34e882f Mon Sep 17 00:00:00 2001 From: Andreas Beuge Date: Mon, 9 Mar 2026 10:29:42 +0100 Subject: [PATCH 4/5] chore: bump chart versions --- parcellab/common/Chart.yaml | 2 +- parcellab/cronjob/Chart.yaml | 2 +- parcellab/microservice/Chart.yaml | 2 +- parcellab/monolith/Chart.yaml | 2 +- parcellab/worker-group/Chart.yaml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/parcellab/common/Chart.yaml b/parcellab/common/Chart.yaml index 704b01d..9cf0e75 100644 --- a/parcellab/common/Chart.yaml +++ b/parcellab/common/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: common description: A Helm chart library for parcelLab charts type: library -version: 1.3.1 +version: 1.4.0 maintainers: - name: parcelLab email: engineering@parcellab.com diff --git a/parcellab/cronjob/Chart.yaml b/parcellab/cronjob/Chart.yaml index 481808c..5b55c1d 100644 --- a/parcellab/cronjob/Chart.yaml +++ b/parcellab/cronjob/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: cronjob description: Single cron job -version: 0.4.3 +version: 0.5.0 dependencies: - name: common version: "*" diff --git a/parcellab/microservice/Chart.yaml b/parcellab/microservice/Chart.yaml index b32100f..3f29400 100644 --- a/parcellab/microservice/Chart.yaml +++ b/parcellab/microservice/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: microservice description: Simple microservice -version: 0.5.1 +version: 0.6.0 dependencies: - name: common version: "*" diff --git a/parcellab/monolith/Chart.yaml b/parcellab/monolith/Chart.yaml index 5d5baf8..c2e9a8e 100644 --- a/parcellab/monolith/Chart.yaml +++ b/parcellab/monolith/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: monolith description: Application that may define multiple services and cronjobs -version: 0.5.1 +version: 0.6.0 dependencies: - name: common version: "*" diff --git a/parcellab/worker-group/Chart.yaml b/parcellab/worker-group/Chart.yaml index 1e3e70d..c96d362 100644 --- a/parcellab/worker-group/Chart.yaml +++ b/parcellab/worker-group/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: worker-group description: Set of workers that do not expose a service -version: 0.3.3 +version: 0.4.0 dependencies: - name: common version: "*" From 237c4f94afc49ff4be147f13bb3bd93f7df1492d Mon Sep 17 00:00:00 2001 From: Andreas Beuge Date: Mon, 9 Mar 2026 10:32:30 +0100 Subject: [PATCH 5/5] chore: bump patch version of charts --- parcellab/common/Chart.yaml | 2 +- parcellab/microservice/Chart.yaml | 2 +- parcellab/monolith/Chart.yaml | 2 +- parcellab/worker-group/Chart.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/parcellab/common/Chart.yaml b/parcellab/common/Chart.yaml index 9cf0e75..e093e50 100644 --- a/parcellab/common/Chart.yaml +++ b/parcellab/common/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: common description: A Helm chart library for parcelLab charts type: library -version: 1.4.0 +version: 1.3.2 maintainers: - name: parcelLab email: engineering@parcellab.com diff --git a/parcellab/microservice/Chart.yaml b/parcellab/microservice/Chart.yaml index 3f29400..acb0b57 100644 --- a/parcellab/microservice/Chart.yaml +++ b/parcellab/microservice/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: microservice description: Simple microservice -version: 0.6.0 +version: 0.5.2 dependencies: - name: common version: "*" diff --git a/parcellab/monolith/Chart.yaml b/parcellab/monolith/Chart.yaml index c2e9a8e..9bb24af 100644 --- a/parcellab/monolith/Chart.yaml +++ b/parcellab/monolith/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: monolith description: Application that may define multiple services and cronjobs -version: 0.6.0 +version: 0.5.2 dependencies: - name: common version: "*" diff --git a/parcellab/worker-group/Chart.yaml b/parcellab/worker-group/Chart.yaml index c96d362..1e3e70d 100644 --- a/parcellab/worker-group/Chart.yaml +++ b/parcellab/worker-group/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: worker-group description: Set of workers that do not expose a service -version: 0.4.0 +version: 0.3.3 dependencies: - name: common version: "*"