Merge pull request #282 from crossplane-contrib/pre-release

chore(release): prepare 4.5.0 release

Author: MoeidHeidari

.github/workflows/helm-test.yml

@@ -26,9 +26,8 @@ jobs:
           version: '3.13.0'
 
       - name: Install Helm unittest plugin
-        run: |
-          helm plugin install https://github.com/quintush/helm-unittest.git || true
-          helm plugin update unittest || true
+        # v1.0.1 is the latest helm-unittest release compatible with Helm 3.13 (v1.1.1+ need a newer Helm).
+        run: helm plugin install https://github.com/helm-unittest/helm-unittest.git --version v1.0.1
 
       - name: Run Helm Lint
         run: |

CHANGELOG.md

@@ -1,3 +1,31 @@
+# [4.5.0](https://github.com/crossplane-contrib/crossview/compare/v4.4.0...v4.5.0) (2026-06-29)
+
+
+### Bug Fixes
+
+* **oidc:** allow empty issuer to skip discovery for split-horizon setups ([d722457](https://github.com/crossplane-contrib/crossview/commit/d7224577f8f0d149db3a9f2e7be824667f827b12))
+* **relations:** align kind badge and type title across graph and overview ([cc74494](https://github.com/crossplane-contrib/crossview/commit/cc744949f7f364d6395397f0da4ef5b3909e7532))
+* **ci:** fix helm-unittest plugin install on Helm 3.13 and document pinning rationale ([3866a05](https://github.com/crossplane-contrib/crossview/commit/3866a05bd7fcaf1c58f2a877d86071f9848ef1ca), [e32a362](https://github.com/crossplane-contrib/crossview/commit/e32a3628e23c572d03f4bb22cf77cd1436ee8d4f))
+
+
+### Features
+
+* **relations:** show kind badges and health state on graph nodes and overview tab ([bc0deb1](https://github.com/crossplane-contrib/crossview/commit/bc0deb16a44f4364f24d12fbd96f52ad4f9f8154))
+* **frontend:** add ErrorBoundary to prevent full-app crashes ([ae8bb69](https://github.com/crossplane-contrib/crossview/commit/ae8bb69c223639673aa3d4e6384f3889296d6bc2))
+* **ui:** add Crossview favicon and switch to icon-only SVG ([52d3a41](https://github.com/crossplane-contrib/crossview/commit/52d3a41cf2a2d79312f8b56f09c7247d8bf50b7a), [3ea3a5c](https://github.com/crossplane-contrib/crossview/commit/3ea3a5cd8f5f2b3d65edc5ec590ce20f3dde2a29))
+
+
+### Documentation
+
+* clarify PostgreSQL is only required for `auth_mode=session` ([8786f18](https://github.com/crossplane-contrib/crossview/commit/8786f188d3076cc3f41ea72e6227d8f6826e1db0))
+* **oidc:** trim loader issuer comment and mirror empty-issuer defaults in JS config loader ([2d56b2e](https://github.com/crossplane-contrib/crossview/commit/2d56b2e9a96ab767b0eb4f8aeeac771f6d910228), [88256f5](https://github.com/crossplane-contrib/crossview/commit/88256f5a897f8bf4e68f2db5752503c2f3c63711), [53e9ce3](https://github.com/crossplane-contrib/crossview/commit/53e9ce38d55b0303563ff47094c2098e4f0fcbaf))
+
+
+### Other
+
+* cleanups: remove error boundary screenshots and style-only inline comments ([66573ca](https://github.com/crossplane-contrib/crossview/commit/66573ca49558d4306fbf7f4cfd9987d352f7f08b), [07a414b](https://github.com/crossplane-contrib/crossview/commit/07a414bc4d26a4ef57d6c6f228550e81aa96b9db))
+* maintenance: update roadmap/dashboard assets and next-version metadata ([223a722](https://github.com/crossplane-contrib/crossview/commit/223a722e1ca4c3f57a8ae724fb69c91d4fed12bf), [b4c98c2](https://github.com/crossplane-contrib/crossview/commit/b4c98c2149ffdb10f70659bbab18f9369aa0db85))
+
 # [4.4.0](https://github.com/crossplane-contrib/crossview/compare/v3.9.0...v4.4.0) (2026-05-19)
 
 

README.md

@@ -61,7 +61,7 @@
 
 - Node.js 20+ (for frontend development)
 - Go 1.24+ (for backend server)
-- PostgreSQL database (port 8920 by default, or set via `DB_PORT` env var)
+- PostgreSQL database — only required when using `auth_mode: session` (the default). For local development without a database, set `auth_mode: none` in `config/config.yaml` (see `config/examples/config-none.yaml.example`).
 - Kubernetes config file at `~/.kube/config` (or set `KUBECONFIG` env var)
 
 ### Install Dependencies

config/loader.js

@@ -76,7 +76,7 @@ export const loadConfig = (configPath = null) => {
       enabled: process.env.SSO_ENABLED === 'true' || fileConfig.sso?.enabled === true,
       oidc: {
         enabled: process.env.OIDC_ENABLED === 'true' || fileConfig.sso?.oidc?.enabled === true,
-        issuer: process.env.OIDC_ISSUER || fileConfig.sso?.oidc?.issuer || 'http://localhost:8080/realms/crossview',
+        issuer: process.env.OIDC_ISSUER || fileConfig.sso?.oidc?.issuer || '',
         clientId: process.env.OIDC_CLIENT_ID || fileConfig.sso?.oidc?.clientId || 'crossview-client',
         clientSecret: process.env.OIDC_CLIENT_SECRET || fileConfig.sso?.oidc?.clientSecret || '',
         authorizationURL: process.env.OIDC_AUTHORIZATION_URL || fileConfig.sso?.oidc?.authorizationURL || '',

crossview-go-server/api/controllers/sso/sso_test_helpers.go

@@ -73,7 +73,7 @@ func TestSSOConfig_OIDC_Enabled(t *testing.T) {
 	assert.True(t, cfg.Enabled)
 	assert.True(t, cfg.OIDC.Enabled)
 	assert.False(t, cfg.SAML.Enabled)
-	assert.Equal(t, "http://localhost:8080/realms/crossview", cfg.OIDC.Issuer)
+	assert.Empty(t, cfg.OIDC.Issuer)
 	assert.Equal(t, "crossview-client", cfg.OIDC.ClientId)
 	assert.Equal(t, "openid profile email", cfg.OIDC.Scope)
 }

crossview-go-server/lib/sso_config.go

@@ -69,7 +69,7 @@ func getOIDCConfig(enabledStr string) OIDCConfig {
 		Issuer: firstNonEmpty(
 			os.Getenv("OIDC_ISSUER"),
 			viper.GetString("sso.oidc.issuer"),
-			"http://localhost:8080/realms/crossview",
+			"",
 		),
 		ClientId: firstNonEmpty(
 			os.Getenv("OIDC_CLIENT_ID"),

docs/GETTING_STARTED.md

@@ -69,6 +69,8 @@ docker run -p 3001:3001 \
   ghcr.io/crossplane-contrib/crossview:latest
 ```
 
+> **Note:** PostgreSQL is only required when using `auth_mode: session` (the default). For local development without a database, copy `config/examples/config-none.yaml.example` to `config/config.yaml` — the backend will skip the database connection entirely.
+
 ## First Steps After Installation
 
 1. **Access the Dashboard**

docs/ROADMAP.md

@@ -4,69 +4,65 @@ This roadmap outlines the planned direction for **CrossView**, the open-source d
 
 We welcome contributions, discussions, and new ideas via GitHub Issues, Discussions, or Pull Requests!
 
-## Current Status (as of February 2026)
-- Stable core features: real-time resource watching, interactive relationship graphs, multi-cluster support, detailed resource views, OIDC/SAML SSO, Helm chart deployment
-- Latest release: v3.5.0 (February 2026)
+## Current Status (as of June 2026)
+
+- Stable core features: real-time resource watching, interactive relationship graphs, **partial multi-cluster support** (full support when running outside Kubernetes via kubeconfig; limited to single cluster when deployed inside via Helm/service account), detailed resource views, OIDC/SAML SSO, Helm chart deployment
+- Latest release: v4.0.0 (June 2026)
 - Actively maintained with frequent updates
 
-## Short-term (Next 3–6 months) – v3.6 – v4.x
-Focus: Security hardening, usability improvements, and production readiness
+## Short-term (Next 3–6 months) – v4.x
+**Focus:** Security hardening, real-time experience, usability, and ecosystem integrations
 
 - **Fine-grained RBAC permissions**  
   Implement Kubernetes-native authorization checks (via SubjectAccessReview API) so users only see/edit resources they are allowed to access. Support Crossplane-specific verbs (e.g., view compositions, approve claims).
 
-- **Customizable dashboard**  
-  Allow users to create personalized views: rearrange widgets, pin favorite resources/clusters, create custom filters/queries, and save dashboard layouts per user or team.
-
-- **Automatic user role sync from Identity Provider (IDP) when SSO is enabled**  
-  When using OIDC/SAML, automatically map IDP groups/roles/claims to CrossView permissions or Kubernetes RBAC bindings. Support common providers (Keycloak, Okta, Auth0, Azure AD) with configurable mapping rules.
+- **Improved resource watching**  
+  Significantly enhance real-time watching: better performance on large clusters, smarter event filtering, improved reconnection logic, and reduced latency.
 
 - **Improved search and filtering**  
-  Advanced full-text search across all resource fields, saved searches, and quick filters (e.g., by status, provider, composition name).
+  Advanced full-text search across all resource fields, saved searches, quick filters (by status, provider, composition, cluster), and cross-cluster search.
 
 - **Events & audit log viewer**  
-  Dedicated tab for browsing Kubernetes events and Crossplane reconciliation events with filtering, timestamps, and correlation to resources.
+  Dedicated tab for browsing Kubernetes events and Crossplane reconciliation events with filtering, timestamps, and direct correlation to resources.
 
-- **Dark mode refinements & accessibility improvements**  
-  Full WCAG compliance checks, keyboard navigation, screen reader support.
+- **Full multi-cluster support (in-cluster)**  
+  Enable true multi-cluster management when CrossView is deployed inside Kubernetes (via Helm). Support loading multiple kubeconfigs, using external cluster credentials/secrets, unified views, easy context switching, and cluster grouping — removing the current limitation of single-cluster service-account access.
 
-## Medium-term (6–12 months) – v4.x – v5.x
-Focus: Deeper Crossplane integration, observability, and extensibility
+- **Native Headlamp Plugin**  
+  Develop a native Headlamp plugin (see [crossview-headlamp](https://github.com/MoeidHeidari/crossview-headlamp)) that integrates the CrossView UI into Headlamp while using **CrossView’s own backend**. The plugin will connect to the CrossView backend service instead of relying on Headlamp’s backend, providing a seamless experience within Headlamp’s interface while leveraging CrossView’s full capabilities (real-time watching, graphs, etc.).
 
-- **Composition & claim workflow enhancements**  
-  Visual editor for creating/editing Compositions and Claims (with YAML preview and validation), dry-run previews, and one-click apply.
+## Medium-term (6–12 months) – v4.x – v5.x
+**Focus:** Deeper Crossplane integration, visibility, and GitOps alignment
 
-- **Provider & managed resource health dashboard**  
-  Aggregated health overview per provider (e.g., AWS, GCP, Azure), showing unhealthy resources, drift detection alerts, and quick actions.
+- **Resource diff & history viewer (YAML support)**  
+  Side-by-side and unified YAML diff, generation-based history, change attribution, and drift visualization.
 
-- **Multi-tenancy & team workspaces**  
-  Namespace/project-based isolation, team-specific dashboards, and resource quotas visibility.
+- **GitOps integration**  
+  Show Git commit links for managed resources and claims via annotations. Basic drift detection against Git source.
 
-- **Alerting & notifications**  
-  Integrate with common tools (Slack, PagerDuty, email) for critical events (e.g., reconciliation failures, resource deletion, composition drift).
+- **Full Flux/Argo CD deep integration**  
+  Deep support for Flux and Argo CD: reconciliation status, sync state, Git repository linking, and visual indicators for drift or sync failures.
 
-- **Resource diff & history viewer**  
-  Show changes over time (generation diffs), previous states, and who/what triggered updates.
+- **Full resource map / relationship graph improvements**  
+  Enhanced interactive resource map showing full dependency graphs across clusters, with better filtering and navigation.
 
-- **CLI companion tool**  
-  Lightweight `crossview` CLI for quick resource lookups, context switching, and dashboard URL generation.
+- **Analytics page**  
+  Overview dashboard with usage statistics, resource distribution, health trends, and Crossplane adoption metrics across clusters.
 
 ## Long-term (12+ months) – v5.x+
-Focus: Ecosystem leadership and advanced features
+**Focus:** Advanced capabilities and ecosystem leadership
 
 - **Crossplane-native plugin system**  
   Allow community extensions (custom widgets, resource renderers, actions) via WebAssembly or simple JS plugins.
 
 - **Cost & usage insights**  
-  Integrate with provider-specific cost APIs (where available) to show estimated costs per composition/claim.
-
-- **GitOps integration**  
-  Show Git commit links for managed resources (via annotations), drift detection against Git source.
+  Integrate with provider-specific cost APIs to show estimated costs per composition/claim.
 
 - **AI-assisted troubleshooting**  
   Natural language query support and suggested fixes (optional opt-in, using local or user-provided LLM).
 
 ## How to Influence the Roadmap
+
 - Open a GitHub Issue or Discussion for feature requests
 - Upvote existing issues to show demand
 - Contribute code, tests, docs, or design feedback

docs/SSO_SETUP.md

@@ -72,7 +72,27 @@ sso:
 3. **Copy the client ID and secret** to your config
 4. **Use the issuer URL** (usually ends with `/realms/...` or `/oauth2/...`)
 
-The implementation supports **OIDC Discovery** - if you provide the `issuer` URL, it will automatically discover the authorization, token, and userinfo endpoints.
+The implementation supports **OIDC Discovery** - if you provide the `issuer` URL, it will automatically discover the authorization, token, and userinfo endpoints. The discovered endpoints take precedence over any explicit `authorizationURL`/`tokenURL`/`userInfoURL` you set.
+
+### Split-horizon endpoints (public authorize + in-cluster token)
+
+Leave `issuer` empty to **skip discovery** and use the explicit `authorizationURL`, `tokenURL`, and `userInfoURL` exactly as written. This is required when the identity provider is reachable at different URLs from the browser and from inside the cluster — a public `authorizationURL` for the user's browser redirect, plus in-cluster `tokenURL`/`userInfoURL` for the server-side code→token exchange and userinfo lookup:
+
+```yaml
+sso:
+  enabled: true
+  oidc:
+    enabled: true
+    issuer: ""                                                   # empty -> discovery skipped
+    authorizationURL: https://idp.example.com/authorize          # browser-reachable
+    tokenURL: http://idp.idp.svc.cluster.local:5556/token        # in-cluster
+    userInfoURL: http://idp.idp.svc.cluster.local:5556/userinfo  # in-cluster
+    clientId: your-client-id
+    clientSecret: your-client-secret
+    callbackURL: https://crossview.example.com/api/auth/oidc/callback
+```
+
+Because a non-empty `issuer` makes discovery override the explicit endpoints, split-horizon setups must leave `issuer` empty.
 
 ## SAML Configuration
 

helm/crossview/templates/configmap.yaml

@@ -30,7 +30,7 @@ data:
   LOG_LEVEL: {{ .Values.config.server.log.level | default "info" | quote }}
   CORS_ORIGIN: {{ .Values.config.server.cors.origin | default "http://localhost:5173" | quote }}
   OIDC_ENABLED: {{ .Values.config.sso.oidc.enabled | default false | quote }}
-  OIDC_ISSUER: {{ .Values.config.sso.oidc.issuer | default "http://localhost:8080/realms/crossview" | quote }}
+  OIDC_ISSUER: {{ .Values.config.sso.oidc.issuer | default "" | quote }}
   OIDC_CLIENT_ID: {{ .Values.config.sso.oidc.clientId | default "crossview-client" | quote }}
   OIDC_AUTHORIZATION_URL: {{ .Values.config.sso.oidc.authorizationURL | default "" | quote }}
   OIDC_TOKEN_URL: {{ .Values.config.sso.oidc.tokenURL | default "" | quote }}