Configure ingress-authz-overlay to use centralized authz-adapter

helm/argo-stack/overlays/ingress-authz-overlay/README.md

@@ -16,6 +16,40 @@ This overlay provides a **single host, path-based ingress** for all major UIs an
 
 All endpoints are protected by the `authz-adapter` via NGINX external authentication.
 
+## AuthZ Adapter Configuration
+
+**Important**: By default, this overlay does **not** deploy its own authz-adapter. Instead, it reuses the centralized authz-adapter deployed by the main `argo-stack` chart in the `security` namespace.
+
+### Default Configuration (Recommended)
+
+The overlay is configured to use the existing authz-adapter in the `security` namespace:
+
+```yaml
+ingressAuthzOverlay:
+  authzAdapter:
+    deploy: false                # Do NOT deploy a separate adapter
+    namespace: security          # Point to security namespace
+    serviceName: authz-adapter
+    port: 8080
+```
+
+This ensures a single, centralized authz-adapter handles authentication for all ingress routes.
+
+### Deploying a Separate Adapter (Advanced)
+
+If you need the overlay to deploy its own authz-adapter instance:
+
+```yaml
+ingressAuthzOverlay:
+  authzAdapter:
+    deploy: true                 # Deploy a separate adapter
+    namespace: argo-stack        # In the overlay's namespace
+    serviceName: authz-adapter
+    port: 8080
+```
+
+**Note**: Having multiple authz-adapter instances may cause configuration drift and is not recommended.
+
 ## Quick Start
 
 ```bash

helm/argo-stack/overlays/ingress-authz-overlay/docs/authz-ingress-user-guide.md

@@ -405,15 +405,17 @@ ingressAuthzOverlay:
 
 ### AuthZ Adapter Configuration
 
+By default, this overlay does **not** deploy its own authz-adapter. It reuses the centralized authz-adapter deployed by the main `argo-stack` chart in the `security` namespace:
+
 ```yaml
 ingressAuthzOverlay:
   authzAdapter:
-    # Disable if authz-adapter is deployed separately
-    deploy: true
+    # Use centralized adapter from security namespace (recommended)
+    deploy: false
 
-    # Service location
+    # Service location (points to main argo-stack adapter)
     serviceName: authz-adapter
-    namespace: argo-stack
+    namespace: security
     port: 8080
     path: /check
 
@@ -422,8 +424,19 @@ ingressAuthzOverlay:
 
     # Headers passed from auth response to backends
     responseHeaders: "X-User,X-Email,X-Groups"
+```
+
+If you need to deploy a separate authz-adapter instance (not recommended):
+
+```yaml
+ingressAuthzOverlay:
+  authzAdapter:
+    deploy: true                 # Deploy a separate adapter
+    namespace: argo-stack        # In overlay's namespace
+    serviceName: authz-adapter
+    port: 8080
 
-    # Environment configuration
+    # Environment configuration (only used when deploy: true)
     env:
       fenceBase: "https://calypr-dev.ohsu.edu/user"
 ```

helm/argo-stack/overlays/ingress-authz-overlay/values.yaml

@@ -35,12 +35,16 @@ ingressAuthzOverlay:
   # AuthZ Adapter Configuration
   # ============================================================================
   authzAdapter:
-    # Enable deployment of authz-adapter (set to false if deployed separately)
-    deploy: true
+    # Enable deployment of authz-adapter (set to false if using centralized adapter)
+    # NOTE: By default, the main argo-stack chart deploys authz-adapter to the
+    # 'security' namespace. Set deploy: false to reuse that instance.
+    deploy: false
 
     # Service discovery settings
+    # NOTE: When deploy: false, ensure these point to the existing authz-adapter
+    # deployed by the main argo-stack chart in the 'security' namespace.
     serviceName: authz-adapter
-    namespace: argo-stack
+    namespace: security
     port: 8080
 
     # Auth endpoint path

helm/argo-stack/values.yaml

@@ -235,8 +235,10 @@ ingressAuthzOverlay:
     secretName: calypr-demo-tls
     clusterIssuer: letsencrypt-prod
   authzAdapter:
+    # Use centralized adapter from security namespace
+    deploy: false
     serviceName: authz-adapter
-    namespace: argo-stack
+    namespace: security
     port: 8080
     path: /check
     signinUrl: https://calypr-demo.ddns.net/tenants/login