Add Kubernetes deployment support for authorization policy service

Expose authz API port (8082) in Dockerfile and create /app/policies
directory. Extend Helm chart with configurable authz section: inline
KDL policy ConfigMap, existing ConfigMap reference, policies volume
mount, Service port, and a NetworkPolicy restricting the authz port
to same-namespace traffic while leaving the OIDC port unrestricted.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Dockerfile

@@ -30,7 +30,7 @@ RUN apt-get update && \
 
 # Create non-root user
 RUN useradd -r -u 1000 -s /bin/false barycenter && \
-    mkdir -p /app/data /app/config && \
+    mkdir -p /app/data /app/config /app/policies && \
     chown -R barycenter:barycenter /app
 
 WORKDIR /app
@@ -47,8 +47,8 @@ RUN chown -R barycenter:barycenter /app
 # Switch to non-root user
 USER barycenter
 
-# Expose default port
-EXPOSE 8080
+# Expose default ports (OIDC, admin GraphQL, authz API)
+EXPOSE 8080 8081 8082
 
 # Health check
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \

deploy/helm/barycenter/templates/authz-networkpolicy.yaml

@@ -0,0 +1,25 @@
+{{- if and .Values.config.authz.enabled .Values.authz.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "barycenter.fullname" . }}-authz
+  labels:
+    {{- include "barycenter.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "barycenter.selectorLabels" . | nindent 6 }}
+  policyTypes:
+  - Ingress
+  ingress:
+  # Allow unrestricted access to the OIDC HTTP port
+  - ports:
+    - port: http
+      protocol: TCP
+  # Restrict authz port to same-namespace pods only
+  - from:
+    - podSelector: {}
+    ports:
+    - port: authz
+      protocol: TCP
+{{- end }}

deploy/helm/barycenter/templates/authz-policies-configmap.yaml

@@ -0,0 +1,13 @@
+{{- if and .Values.config.authz.enabled (not .Values.authz.existingConfigMap) .Values.authz.policies }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "barycenter.fullname" . }}-authz-policies
+  labels:
+    {{- include "barycenter.labels" . | nindent 4 }}
+data:
+  {{- range $filename, $content := .Values.authz.policies }}
+  {{ $filename }}: |
+    {{- $content | nindent 4 }}
+  {{- end }}
+{{- end }}

deploy/helm/barycenter/templates/configmap.yaml

@@ -23,3 +23,12 @@ data:
 
     [federation]
     trust_anchors = {{ .Values.config.federation.trustAnchors | toJson }}
+    {{- if .Values.config.authz.enabled }}
+
+    [authz]
+    enabled = true
+    {{- if .Values.config.authz.port }}
+    port = {{ .Values.config.authz.port }}
+    {{- end }}
+    policies_dir = {{ .Values.config.authz.policiesDir | quote }}
+    {{- end }}

deploy/helm/barycenter/templates/deployment.yaml

@@ -17,6 +17,9 @@ spec:
     metadata:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        {{- if and .Values.config.authz.enabled (not .Values.authz.existingConfigMap) .Values.authz.policies }}
+        checksum/authz-policies: {{ include (print $.Template.BasePath "/authz-policies-configmap.yaml") . | sha256sum }}
+        {{- end }}
         {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -75,6 +78,11 @@ spec:
         - name: http
           containerPort: {{ .Values.config.server.port }}
           protocol: TCP
+        {{- if .Values.config.authz.enabled }}
+        - name: authz
+          containerPort: {{ .Values.config.authz.port | default (add .Values.config.server.port 2) }}
+          protocol: TCP
+        {{- end }}
         {{- if .Values.env }}
         env:
           {{- toYaml .Values.env | nindent 8 }}
@@ -87,6 +95,11 @@ spec:
         - name: data
           mountPath: /app/data
         {{- end }}
+        {{- if .Values.config.authz.enabled }}
+        - name: authz-policies
+          mountPath: {{ .Values.config.authz.policiesDir }}
+          readOnly: true
+        {{- end }}
         livenessProbe:
           {{- toYaml .Values.livenessProbe | nindent 10 }}
         readinessProbe:
@@ -110,6 +123,11 @@ spec:
         secret:
           secretName: {{ .Values.userSync.existingSecret }}
       {{- end }}
+      {{- if .Values.config.authz.enabled }}
+      - name: authz-policies
+        configMap:
+          name: {{ if .Values.authz.existingConfigMap }}{{ .Values.authz.existingConfigMap }}{{ else }}{{ include "barycenter.fullname" . }}-authz-policies{{ end }}
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

deploy/helm/barycenter/templates/service.yaml

@@ -15,5 +15,11 @@ spec:
     targetPort: http
     protocol: TCP
     name: http
+  {{- if .Values.config.authz.enabled }}
+  - port: {{ .Values.config.authz.port | default (add .Values.config.server.port 2) }}
+    targetPort: authz
+    protocol: TCP
+    name: authz
+  {{- end }}
   selector:
     {{- include "barycenter.selectorLabels" . | nindent 4 }}

deploy/helm/barycenter/values.yaml

@@ -118,6 +118,27 @@ config:
   federation:
     trustAnchors: []
 
+  authz:
+    enabled: false
+    # port defaults to server.port + 2 if not set
+    # port: 8082
+    policiesDir: "/app/policies"
+
+# Authorization policy service
+authz:
+  # Inline KDL policy files (rendered into a ConfigMap)
+  # Each key is a filename, value is the KDL policy content
+  policies: {}
+  #   vm_policy.kdl: |
+  #     resource "vm" { ... }
+
+  # OR reference an existing ConfigMap containing .kdl files
+  existingConfigMap: ""
+
+  # NetworkPolicy restricting authz port to same-namespace pods only
+  networkPolicy:
+    enabled: true
+
 # Environment variables for main container
 # Supports full Kubernetes env var specification including valueFrom
 env: