mirror from operator 3.166.0- 2026-06-03

Author: github-actions[bot]

mirrord-license-server/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: mirrord-operator-license-server
-description: A Helm chart for Kubernetes
+description: Self-hosted, air-gapped license server for the mirrord Operator that manages Enterprise licenses with no external telemetry.
 
 # A chart can be either an 'application' or a 'library' chart.
 #
@@ -15,10 +15,36 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.165.0
+version: 3.166.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "3.165.0"
+appVersion: "3.166.0"
+
+home: https://metalbear.com/mirrord
+icon: https://raw.githubusercontent.com/metalbear-co/mirrord/main/images/icon.png
+sources:
+  - https://github.com/metalbear-co/charts
+keywords:
+  - mirrord
+  - kubernetes
+  - license-server
+  - air-gapped
+  - enterprise
+  - metalbear
+maintainers:
+  - name: MetalBear
+    email: eyal@metalbear.com
+    url: https://metalbear.com
+annotations:
+  artifacthub.io/links: |
+    - name: Documentation
+      url: https://metalbear.com/mirrord/docs
+    - name: Pricing
+      url: https://metalbear.com/mirrord/pricing
+    - name: Source
+      url: https://github.com/metalbear-co/charts
+    - name: support
+      url: https://github.com/metalbear-co/mirrord/issues

mirrord-license-server/templates/_helpers.tpl

@@ -6,3 +6,90 @@ app.kubernetes.io/instance: {{ $.Release.Name }}
 app.kubernetes.io/version: {{ $.Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ $.Release.Service }}
 {{- end }}
+
+{{- define "mirrord-license-server.samlProxyConfigMapName" -}}
+mirrord-license-server-saml-proxy-config
+{{- end }}
+
+{{- define "mirrord-license-server.samlProxyAssetsSecretName" -}}
+mirrord-license-server-saml-proxy-assets
+{{- end }}
+
+{{- define "mirrord-license-server.samlProxyServerConfig" -}}
+# Disable "forward proxy" mode.
+# We only want Apache to proxy to our own localhost backends, never to arbitrary destinations.
+ProxyRequests Off
+# Forward the original Host header to the backend instead of rewriting it to 127.0.0.1.
+# This preserves the externally visible hostname in case the backend needs it.
+ProxyPreserveHost On
+# Add standard proxy headers such as X-Forwarded-For and X-Forwarded-Proto.
+ProxyAddHeaders On
+
+# Remove any identity headers that arrived from the outside world.
+# This prevents a client from spoofing authentication by sending these headers directly.
+RequestHeader unset X-Remote-User
+RequestHeader unset X-Remote-Group
+RequestHeader unset X-Remote-Extra-NameID
+RequestHeader unset X-Remote-Extra-SessionIndex
+
+# Do not proxy the internal Mellon endpoints.
+# The "!" target means "leave this path to Apache itself", which is required because
+# mod_auth_mellon serves its own login/logout/assertion-consumer endpoints here.
+ProxyPass "/mellon" "!"
+# When the dashboard is enabled, its report endpoints live on the dashboard port.
+# These must be matched before the broader "/api/" rule below.
+ProxyPass "/api/" "http://127.0.0.1:{{ add .Values.dashboard.port 1 }}/api/"
+# Rewrite redirects from the dashboard report endpoints back to the public URL space.
+ProxyPassReverse "/api/" "http://127.0.0.1:{{ add .Values.dashboard.port 1 }}/api/"
+# Send all non-API browser traffic to the dashboard web UI.
+ProxyPass "/" "http://127.0.0.1:{{ add .Values.dashboard.port 1 }}/"
+# Rewrite redirects from the dashboard web UI back to the public URL space.
+ProxyPassReverse "/" "http://127.0.0.1:{{ add .Values.dashboard.port 1 }}/"
+# Apply SAML authentication to everything by default.
+# More specific Location blocks below carve out exceptions for health checks and Mellon's own
+# internal endpoints.
+<Location />
+  # Tell Apache to use mod_auth_mellon as the authentication provider here.
+  AuthType Mellon
+  # Run the full SAML login flow on this path.
+  MellonEnable auth
+  # Allow any successfully authenticated user through.
+  Require valid-user
+  # Identity Provider (IdP) metadata:
+  # describes the corporate SAML provider we redirect the browser to and trust assertions from.
+  MellonIdPMetadataFile "{{ .Values.saml.proxy.assets.mountPath }}/idp-metadata.xml"
+  # Service Provider (SP) metadata:
+  # describes this Apache proxy as a SAML participant.
+  MellonSPMetadataFile "{{ .Values.saml.proxy.assets.mountPath }}/sp-metadata.xml"
+  # Private key belonging to this Service Provider.
+  # Mellon uses it together with the certificate below when participating in SAML exchanges.
+  MellonSPPrivateKeyFile "{{ .Values.saml.proxy.assets.mountPath }}/sp.key"
+  # Public certificate that matches the Service Provider private key above.
+  MellonSPCertFile "{{ .Values.saml.proxy.assets.mountPath }}/sp.cert"
+  # URL prefix where Mellon exposes its own SAML helper endpoints such as login callbacks.
+  MellonEndpointPath /mellon
+  # The IdP returns the SAML assertion via a cross-site POST to the ACS endpoint, so the
+  # browser must send Mellon's session cookie on that cross-site request. Browsers only do
+  # this for SameSite=None cookies, and only honor SameSite=None when the cookie is Secure.
+  # The proxy must therefore be reached over HTTPS (TLS terminated here or upstream).
+  MellonSecureCookie On
+  MellonCookieSameSite None
+  # Copy the authenticated username into a trusted header for downstream Rust services.
+  # The value comes from Apache's REMOTE_USER environment variable after SAML login succeeds.
+  RequestHeader set X-Remote-User "%{REMOTE_USER}e" env=REMOTE_USER
+  # Forward the SAML NameID in a generic "extra" header for downstream consumers that want it.
+  RequestHeader set X-Remote-Extra-NameID "%{MELLON_NAME_ID}e" env=MELLON_NAME_ID
+  # Forward the SAML SessionIndex in a generic "extra" header for downstream consumers.
+  RequestHeader set X-Remote-Extra-SessionIndex "%{MELLON_SESSION_INDEX}e" env=MELLON_SESSION_INDEX
+</Location>
+
+# Expose Mellon's own helper endpoints without trying to protect them with another SAML round.
+# These endpoints are part of the SAML handshake itself.
+<Location /mellon>
+  # "info" tells Mellon to handle its own endpoints here without requiring a normal protected
+  # application request.
+  MellonEnable info
+  # Allow the browser and the Identity Provider to reach these helper endpoints.
+  Require all granted
+</Location>
+{{- end }}

mirrord-license-server/templates/deployment.yaml

@@ -1,6 +1,13 @@
 {{- if and (gt (int .Values.server.replicas) 1) (eq .Values.database.kind "sqlite") }}
   {{- fail "unable to set more than 1 replica when using sqlite, please switch to postgres database for multiple replicas" }}
 {{- end }}
+{{- $tlsEnabled := or (not (empty (index .Values.tls.data "tls.key"))) .Values.tls.certManager.enabled }}
+{{- if and .Values.saml.enabled (not .Values.dashboard.enabled) }}
+  {{- fail "saml.enabled=true requires dashboard.enabled=true" }}
+{{- end }}
+{{- if and .Values.saml.enabled .Values.dashboard.enabled (not (or .Values.saml.proxy.assets.existingSecret .Values.saml.proxy.assets.data)) }}
+  {{- fail "saml.proxy.assets.existingSecret or saml.proxy.assets.data is required when saml.enabled=true" }}
+{{- end }}
 
 apiVersion: apps/v1
 kind: Deployment
@@ -16,7 +23,7 @@ spec:
   selector:
     matchLabels:
       app: mirrord-license-server
-  {{- if eq .Values.database.kind "sqlite" }}
+  {{- if or (eq .Values.database.kind "sqlite") .Values.database.migrateFromSqlite }}
   strategy:
     # This is needed, as the license server uses a ReadWriteOnce PVC.
     type: Recreate
@@ -49,10 +56,10 @@ spec:
         runAsGroup: 2000
         fsGroup: 2000
         {{/* Allow low port using ip_unprivileged_port_start */}}
-        {{- if lt (int .Values.server.port) 1024 -}}
+        {{- if or (lt (int .Values.server.port) 1024) (lt (int .Values.dashboard.port) 1024) -}}
         sysctls:
         - name: net.ipv4.ip_unprivileged_port_start
-          value: {{ .Values.server.port | quote}}
+          value: {{ min (int .Values.server.port) (int .Values.dashboard.port) | quote}}
         {{- end }}
       {{- if .Values.server.tolerations }}
       tolerations:
@@ -68,6 +75,7 @@ spec:
       {{- end }}
 
       containers:
+      # License server container
       - args: ["license-server"]
         env:
         - name: RUST_LOG
@@ -80,6 +88,10 @@ spec:
         {{- else if eq .Values.database.kind "postgres" }}
         - name: DATABASE_TYPE
           value: "postgres"
+        {{- if .Values.database.migrateFromSqlite }}
+        - name: MIGRATE_DATABASE_URL
+          value: sqlite:///opt/mirrord/data/license-server.db
+        {{- end }}
         {{- if kindIs "string" .Values.database.host }}
         - name: PGHOST
           value: {{ .Values.database.host | quote }}
@@ -148,12 +160,27 @@ spec:
         {{- if .Values.dashboard.enabled }}
         - name: DASHBOARD_ENABLED
           value: "true"
-        - name: DASHBOARD_PORT
-          value: {{ .Values.dashboard.port | quote }}
+        {{- end }}
+        {{- if .Values.dashboard.enabled }}
+        - name: DASHBOARD_ADDRESS
+        {{- if .Values.saml.enabled }}
+          # SAML proxy listens on the dashboard port on public IP.
+          # License server listens on a different port on localhost.
+          value: {{ printf "127.0.0.1:%d" (add (int .Values.dashboard.port) 1) | quote }}
+        {{- else }}
+          # There is no proxy.
+          # License server listens on the dashboard port on public IP.
+          value: {{ printf "0.0.0.0:%d" (int .Values.dashboard.port) | quote }}
+        {{- end }}
+        {{- if .Values.saml.enabled }}
+        # SAML proxy terminates TLS and injects verified headers.
+        - name: DASHBOARD_AUTH_PROXY
+          value: "true"
+        {{- end }}
         {{- end }}
         - name: ERROR_EVENTS_RETENTION_DAYS
           value: {{ .Values.server.retention.operatorErrors | quote }}
-        {{- if or (index .Values.tls.data "tls.key") .Values.tls.certManager.enabled }}
+        {{- if $tlsEnabled }}
         - name: TLS_CERT_PATH
           value: /tls/tls.crt
         - name: TLS_KEY_PATH
@@ -182,21 +209,21 @@ spec:
           httpGet:
             path: /health
             port: {{ .Values.server.port }}
-            scheme: {{ or (index .Values.tls.data "tls.key") .Values.tls.certManager.enabled | ternary "HTTPS" "HTTP" | quote }}
+            scheme: {{ $tlsEnabled | ternary "HTTPS" "HTTP" | quote }}
           periodSeconds: 5
         name: license-server
         ports:
         - containerPort: {{ .Values.server.port }}
           name: https
-        {{- if .Values.dashboard.enabled }}
+        {{- if and .Values.dashboard.enabled (not .Values.saml.enabled) }}
         - containerPort: {{ .Values.dashboard.port }}
           name: dashboard
         {{- end }}
         readinessProbe:
           httpGet:
             path: /health
             port: {{ .Values.server.port }}
-            scheme: {{ or (index .Values.tls.data "tls.key") .Values.tls.certManager.enabled | ternary "HTTPS" "HTTP" | quote }}
+            scheme: {{ $tlsEnabled | ternary "HTTPS" "HTTP" | quote }}
           periodSeconds: 5
         resources:
           requests:
@@ -210,7 +237,7 @@ spec:
           privileged: false
           readOnlyRootFilesystem: true
         volumeMounts:
-        {{- if or (index .Values.tls.data "tls.key") .Values.tls.certManager.enabled }}
+        {{- if $tlsEnabled }}
         - mountPath: /tls
           name: tls-volume
         {{- end }}
@@ -220,15 +247,54 @@ spec:
           name: license-volume
         {{- end }}
         # needed for the license-server create sqlite database
-        {{- if eq .Values.database.kind "sqlite" }}
+        {{- if or (eq .Values.database.kind "sqlite") .Values.database.migrateFromSqlite }}
         - mountPath: /opt/mirrord/data
           name: data
         {{- end }}
         - mountPath: /tmp
           name: tmp
+
+      {{- if and .Values.saml.enabled .Values.dashboard.enabled }}
+      # SAML proxy container
+      - name: saml-proxy
+        image: {{ .Values.saml.proxy.image }}:{{ .Values.saml.proxy.tag }}
+        imagePullPolicy: {{ default "IfNotPresent" .Values.saml.proxy.imagePullPolicy }}
+        {{- if .Values.saml.proxy.extraEnv }}
+        env:
+        {{- range $name, $value := .Values.saml.proxy.extraEnv }}
+        - name: {{ $name }}
+          value: {{ $value | quote }}
+        {{- end }}
+        {{- end }}
+        ports:
+        - containerPort: {{ .Values.dashboard.port }}
+          name: dashboard
+        resources:
+          {{- toYaml .Values.saml.proxy.resources | nindent 10 }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          privileged: false
+          readOnlyRootFilesystem: false
+        volumeMounts:
+        - mountPath: /usr/local/apache2/conf/httpd.conf
+          name: saml-proxy-config
+          subPath: httpd.conf
+        {{- if or .Values.saml.proxy.assets.existingSecret .Values.saml.proxy.assets.data }}
+        - mountPath: {{ .Values.saml.proxy.assets.mountPath }}
+          name: saml-proxy-assets
+          readOnly: true
+        {{- end }}
+        {{- if $tlsEnabled }}
+        - mountPath: /tls
+          name: tls-volume
+        {{- end }}
+        - mountPath: /tmp
+          name: tmp
+      {{- end }}
+
       serviceAccountName: {{ .Values.sa.name }}
       volumes:
-      {{- if or (index .Values.tls.data "tls.key") .Values.tls.certManager.enabled }}
+      {{- if $tlsEnabled }}
       - name: tls-volume
         secret:
           secretName: {{ .Values.tls.secret }}
@@ -239,10 +305,20 @@ spec:
         secret:
           secretName: {{ .Values.license.file.secret }}
       {{- end }}
-      {{- if eq .Values.database.kind "sqlite" }}
+      {{- if or (eq .Values.database.kind "sqlite") .Values.database.migrateFromSqlite }}
       - name: data
         persistentVolumeClaim:
           claimName: mirrord-license-server-pvc
       {{- end }}
+      {{- if and .Values.saml.enabled .Values.dashboard.enabled }}
+      - name: saml-proxy-config
+        configMap:
+          name: {{ include "mirrord-license-server.samlProxyConfigMapName" . }}
+      {{- if or .Values.saml.proxy.assets.existingSecret .Values.saml.proxy.assets.data }}
+      - name: saml-proxy-assets
+        secret:
+          secretName: {{ default (include "mirrord-license-server.samlProxyAssetsSecretName" .) .Values.saml.proxy.assets.existingSecret }}
+      {{- end }}
+      {{- end }}
       - emptyDir: {}
         name: tmp

mirrord-license-server/templates/pvc.yaml

@@ -1,4 +1,4 @@
-{{- if eq .Values.database.kind "sqlite" }}
+{{- if or (eq .Values.database.kind "sqlite") .Values.database.migrateFromSqlite }}
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:

mirrord-license-server/templates/saml-proxy-assets.yaml

@@ -0,0 +1,12 @@
+{{- if and .Values.saml.enabled .Values.dashboard.enabled .Values.saml.proxy.assets.data }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "mirrord-license-server.samlProxyAssetsSecretName" . }}
+  namespace: {{ .Values.namespace }}
+  labels:
+    {{- include "mirrord-license-server.labels" . | nindent 4 }}
+stringData:
+  {{- toYaml .Values.saml.proxy.assets.data | nindent 2 }}
+type: Opaque
+{{- end }}