Add selfhosted ingress identity forwarding and organizations service

charts/controlplane/values.aws.selfhosted-intracluster.yaml

@@ -478,10 +478,22 @@ ingress:
         - "{{ .Values.global.CONTROLPLANE_INTRA_CLUSTER_HOST }}"
       secretName: "{{ .Values.global.TLS_SECRET_NAME }}"
 
+  # --- Ingress Annotations (shared across all ingress objects) ---
+  annotations:
+    # Allow the nginx controller's internal DNS to match ingress rules so that
+    # intra-cluster traffic (DP → CP via nginx service DNS) is routed through
+    # the same auth subrequest as external traffic. Without this, the :authority
+    # header won't match the ingress host and auth is bypassed.
+    nginx.ingress.kubernetes.io/server-alias: "{{ .Values.global.CONTROLPLANE_INTRA_CLUSTER_HOST }}"
+
   # --- Protected Ingress Auth Annotations ---
   # These configure nginx to validate requests via flyteadmin's /me endpoint
   # and redirect unauthenticated users to /login for the OIDC flow.
   # Active when OIDC authentication is enabled (server.security.useAuth: true).
+  #
+  # All protected endpoints use "https://$host/me" so the auth subrequest goes
+  # through nginx itself. This ensures verifyClaims runs on the access token,
+  # which resolves identitytype for all callers (browser, CLI, service-to-service).
   protectedIngressAnnotations:
     nginx.ingress.kubernetes.io/auth-url: "https://$host/me"
     nginx.ingress.kubernetes.io/auth-signin: "https://$host/login?redirect_url=$escaped_request_uri"

charts/controlplane/values.gcp.selfhosted-intracluster.yaml

@@ -508,7 +508,14 @@ ingress:
         - "{{ .Values.global.CONTROLPLANE_INTRA_CLUSTER_HOST }}"
       secretName: "{{ .Values.global.TLS_SECRET_NAME }}"
 
-  # Protected ingress auth annotations are now defined in the base values.yaml.
+  # --- Ingress Annotations (shared across all ingress objects) ---
+  annotations:
+    # Allow the nginx controller's internal DNS to match ingress rules so that
+    # intra-cluster traffic (DP → CP via nginx service DNS) is routed through
+    # the same auth subrequest as external traffic.
+    nginx.ingress.kubernetes.io/server-alias: "{{ .Values.global.CONTROLPLANE_INTRA_CLUSTER_HOST }}"
+
+  # Protected ingress auth annotations are defined in the base values.yaml.
   # Override here only if you need to customize auth behavior for this deployment mode.
 
 # ----------------------------------------------------------------------------

charts/controlplane/values.yaml

@@ -253,6 +253,31 @@ ingress:
     nginx.ingress.kubernetes.io/auth-url: "http://flyteadmin.{{ template \"flyte.namespace\" . }}.svc.cluster.local/me"
     nginx.ingress.kubernetes.io/auth-response-headers: "Set-Cookie,X-User-Subject,X-User-Claim-Identitytype,X-User-Claim-Preferred-Username,X-User-Token"
     nginx.ingress.kubernetes.io/auth-cache-key: "$http_authorization$http_flyte_authorization$http_cookie"
+    # For gRPC backends (backend-protocol: GRPC), nginx uses grpc_pass instead
+    # of proxy_pass. The auth-response-headers annotation only sets proxy headers,
+    # not gRPC headers. This configuration-snippet bridges identity headers from
+    # the auth subrequest response into the upstream gRPC request so backend
+    # services receive the caller's identity.
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      auth_request_set $user_id $upstream_http_x_user_subject;
+      proxy_set_header X-User-Subject $user_id;
+      grpc_set_header X-User-Subject $user_id;
+
+      auth_request_set $user_identitytype $upstream_http_x_user_claim_identitytype;
+      proxy_set_header X-User-Claim-Identitytype $user_identitytype;
+      grpc_set_header X-User-Claim-Identitytype $user_identitytype;
+
+      auth_request_set $user_handle $upstream_http_x_user_claim_userhandle;
+      proxy_set_header X-User-Claim-userhandle $user_handle;
+      grpc_set_header X-User-Claim-userhandle $user_handle;
+
+      auth_request_set $groups $upstream_http_x_user_claim_groups;
+      proxy_set_header X-User-Claim-groups $groups;
+      grpc_set_header X-User-Claim-groups $groups;
+
+      more_set_headers "x-request-id: $request_id";
+      proxy_set_header x-request-id $request_id;
+      grpc_set_header x-request-id $request_id;
 
 envoyGateway:
   # GatewayClass name for Envoy Gateway. Used when INGRESS_PROVIDER is "envoy" or "both".
@@ -541,6 +566,38 @@ services:
         secureTunnelTenantURLPattern: http://ingress-nginx-internal.ingress-nginx.svc.cluster.local:80 # http://ingress-nginx-internal.ingress-nginx.svc.cluster.local
         clusterSelector:
           type: local
+  organizations:
+    fullnameOverride: "organizations"
+    sharedService:
+      connectPort: 8081
+    initContainers:
+      - name: migrate
+        args:
+          - cloudorganizations
+          - migrate
+          - --config
+          - "/etc/config/*.yaml"
+    args:
+      - cloudorganizations
+      - serve
+      - --config
+      - /etc/config/*.yaml
+    configMap:
+      sharedService:
+        connectPort: 8081
+        metrics:
+          scope: "organizations:"
+      db:
+        dbname: '{{ .Values.global.DB_NAME }}'
+        host: '{{ .Values.global.DB_HOST }}'
+        username: '{{ .Values.global.DB_USER }}'
+        passwordPath: /etc/db/pass.txt
+        port: 5432
+        connectionPool:
+          maxIdleConnections: 20
+          maxOpenConnections: 20
+          maxConnectionLifetime: 1m
+
   executions:
     fullnameOverride: "executions"
     initContainers: