The Helm chart
The deployment chart shape renders an Auth adapter, Service, NetworkPolicy, optional protected mock API, optional caller with broker sidecar, and bundle mounts. It is designed to render cleanly without a live cluster so reviewers can inspect the resources before anything is applied.
Render locally
helm template tp-auth charts/trustplane-oss-auth --namespace trustplane-auth
./scripts/render-chart.sh
Expected output includes an adapter Deployment, adapter Service, adapter NetworkPolicy, and no public broker Service. The broker, when used, is a pod-local sidecar.
Template shape
Key values
Adapter behavior:
adapter:
port: 8081
upstream: http://127.0.0.1:8080
audience: example-api
trustDomain: example.invalid
routeId: example.route
routePolicyMode: route-id
proofMode: transcript-v1
requiredKeyBinding: software
Signed bundle mounts:
bundle:
mountDirectory: /etc/trustplane
trustBundleMountPath: /etc/trustplane/trustplane-bundle.json
policyBundleMountPath: /etc/trustplane/trustplane.policy.bundle.json
policyBundleFreshnessWindow: 5s
trustBundle:
configMapName: ""
secretName: ""
key: trustplane-bundle.json
policyBundle:
configMapName: ""
secretName: ""
key: trustplane.policy.bundle.json
The chart mounts bundle object names; it does not create live bundle data. Create, review, sign, and mount bundle objects through an environment-appropriate process before the adapter starts.
Immutable adapter artifact:
Use the private preview adapter image only with the pinned version and digest from
Install & artifacts. Do not use latest.
image:
repository: ghcr.io/trustplane-dev/trustplane-auth-adapter
tag: v0.1.0-rc.1
digest: sha256:ec419221c8f7be194d5c7ada5e20725e4fe4c48c6cea266902f22b703364f2c5
Replay safety:
replicaCount: 1
replay:
store: memory
multiReplica: false
redis:
addr: ""
If the adapter is configured for multiple replicas while using memory replay, the chart should fail to render. Multi-replica adapters need shared replay state.
Security context defaults:
podSecurityContext:
runAsNonRoot: true
runAsUser: 65532
fsGroup: 65532
seccompProfile:
type: RuntimeDefault
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: [ALL]
readOnlyRootFilesystem: true
runAsNonRoot: true
networkPolicy:
enabled: true
Optional external entrypoint:
service:
type: ClusterIP
Use an external Service, ingress, or gateway only when the environment has the right TLS, authorization, and upstream isolation controls.
Example profiles
Example values should be non-secret and render-only:
| Profile | Purpose |
|---|---|
adapter-only-values.yaml | Adapter in front of an existing upstream, signed bundles mounted read-only. |
values.yaml | Adapter plus internal mock API for local or review environments. |
spiffe-m2m-values.yaml | Caller with broker sidecar and SPIFFE/SPIRE workload identity profile. |
policy.bundle.multi-route.example.json | One adapter protecting multiple business routes. |
Broker sidecar
The broker sidecar is disabled by default. When enabled, it should run only inside the caller pod, communicate over a pod-local Unix socket, and use explicit workload-identity configuration. The chart should still render no broker Service and no host-level socket.
broker:
sidecar:
enabled: true
image:
repository: ghcr.io/trustplane-dev/trustplane-auth-broker
tag: v0.1.0-rc.1
digest: sha256:4f05c71eff0f5f5563f474dd8c534228c5f32438526c330950439b7d48758177
spiffeProfile: trustplane-spiffe-spire-k8s-v1
keyBinding: attested_workload
Next: Example deployment.