From 9b9c1bd5629620ea8187320a3eaff306efe39dcb Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 25 Nov 2025 05:57:46 +0000
Subject: [PATCH 1/2] Initial plan


From 699234fb3af79b8381f1ff54d55e28e78486eb4a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 25 Nov 2025 06:03:15 +0000
Subject: [PATCH 2/2] Configure overlay to use centralized authz-adapter in
 security namespace

Co-authored-by: bwalsh <47808+bwalsh@users.noreply.github.com>
---
 .../overlays/ingress-authz-overlay/README.md  | 34 +++++++++++++++++++
 .../docs/authz-ingress-user-guide.md          | 23 ++++++++++---
 .../ingress-authz-overlay/values.yaml         | 10 ++++--
 helm/argo-stack/values.yaml                   |  4 ++-
 4 files changed, 62 insertions(+), 9 deletions(-)

diff --git a/helm/argo-stack/overlays/ingress-authz-overlay/README.md b/helm/argo-stack/overlays/ingress-authz-overlay/README.md
index 85f90f4d..0b0ead6e 100644
--- a/helm/argo-stack/overlays/ingress-authz-overlay/README.md
+++ b/helm/argo-stack/overlays/ingress-authz-overlay/README.md
@@ -16,6 +16,40 @@ This overlay provides a **single host, path-based ingress** for all major UIs an
 
 All endpoints are protected by the `authz-adapter` via NGINX external authentication.
 
+## AuthZ Adapter Configuration
+
+**Important**: By default, this overlay does **not** deploy its own authz-adapter. Instead, it reuses the centralized authz-adapter deployed by the main `argo-stack` chart in the `security` namespace.
+
+### Default Configuration (Recommended)
+
+The overlay is configured to use the existing authz-adapter in the `security` namespace:
+
+```yaml
+ingressAuthzOverlay:
+  authzAdapter:
+    deploy: false                # Do NOT deploy a separate adapter
+    namespace: security          # Point to security namespace
+    serviceName: authz-adapter
+    port: 8080
+```
+
+This ensures a single, centralized authz-adapter handles authentication for all ingress routes.
+
+### Deploying a Separate Adapter (Advanced)
+
+If you need the overlay to deploy its own authz-adapter instance:
+
+```yaml
+ingressAuthzOverlay:
+  authzAdapter:
+    deploy: true                 # Deploy a separate adapter
+    namespace: argo-stack        # In the overlay's namespace
+    serviceName: authz-adapter
+    port: 8080
+```
+
+**Note**: Having multiple authz-adapter instances may cause configuration drift and is not recommended.
+
 ## Quick Start
 
 ```bash
diff --git a/helm/argo-stack/overlays/ingress-authz-overlay/docs/authz-ingress-user-guide.md b/helm/argo-stack/overlays/ingress-authz-overlay/docs/authz-ingress-user-guide.md
index e5e919ba..ab324591 100644
--- a/helm/argo-stack/overlays/ingress-authz-overlay/docs/authz-ingress-user-guide.md
+++ b/helm/argo-stack/overlays/ingress-authz-overlay/docs/authz-ingress-user-guide.md
@@ -405,15 +405,17 @@ ingressAuthzOverlay:
 
 ### AuthZ Adapter Configuration
 
+By default, this overlay does **not** deploy its own authz-adapter. It reuses the centralized authz-adapter deployed by the main `argo-stack` chart in the `security` namespace:
+
 ```yaml
 ingressAuthzOverlay:
   authzAdapter:
-    # Disable if authz-adapter is deployed separately
-    deploy: true
+    # Use centralized adapter from security namespace (recommended)
+    deploy: false
     
-    # Service location
+    # Service location (points to main argo-stack adapter)
     serviceName: authz-adapter
-    namespace: argo-stack
+    namespace: security
     port: 8080
     path: /check
     
@@ -422,8 +424,19 @@ ingressAuthzOverlay:
     
     # Headers passed from auth response to backends
     responseHeaders: "X-User,X-Email,X-Groups"
+```
+
+If you need to deploy a separate authz-adapter instance (not recommended):
+
+```yaml
+ingressAuthzOverlay:
+  authzAdapter:
+    deploy: true                 # Deploy a separate adapter
+    namespace: argo-stack        # In overlay's namespace
+    serviceName: authz-adapter
+    port: 8080
     
-    # Environment configuration
+    # Environment configuration (only used when deploy: true)
     env:
       fenceBase: "https://calypr-dev.ohsu.edu/user"
 ```
diff --git a/helm/argo-stack/overlays/ingress-authz-overlay/values.yaml b/helm/argo-stack/overlays/ingress-authz-overlay/values.yaml
index 301e2056..40df467d 100644
--- a/helm/argo-stack/overlays/ingress-authz-overlay/values.yaml
+++ b/helm/argo-stack/overlays/ingress-authz-overlay/values.yaml
@@ -35,12 +35,16 @@ ingressAuthzOverlay:
   # AuthZ Adapter Configuration
   # ============================================================================
   authzAdapter:
-    # Enable deployment of authz-adapter (set to false if deployed separately)
-    deploy: true
+    # Enable deployment of authz-adapter (set to false if using centralized adapter)
+    # NOTE: By default, the main argo-stack chart deploys authz-adapter to the
+    # 'security' namespace. Set deploy: false to reuse that instance.
+    deploy: false
 
     # Service discovery settings
+    # NOTE: When deploy: false, ensure these point to the existing authz-adapter
+    # deployed by the main argo-stack chart in the 'security' namespace.
     serviceName: authz-adapter
-    namespace: argo-stack
+    namespace: security
     port: 8080
 
     # Auth endpoint path
diff --git a/helm/argo-stack/values.yaml b/helm/argo-stack/values.yaml
index 76275e6b..07b6d70b 100644
--- a/helm/argo-stack/values.yaml
+++ b/helm/argo-stack/values.yaml
@@ -235,8 +235,10 @@ ingressAuthzOverlay:
     secretName: calypr-demo-tls
     clusterIssuer: letsencrypt-prod
   authzAdapter:
+    # Use centralized adapter from security namespace
+    deploy: false
     serviceName: authz-adapter
-    namespace: argo-stack
+    namespace: security
     port: 8080
     path: /check
     signinUrl: https://calypr-demo.ddns.net/tenants/login