Temporarily patch stac-auth-proxy chart until PR comes in.

Author: pantierra

charts/eoapi/templates/core/stac-auth-proxy-patch-rbac.yaml

@@ -0,0 +1,34 @@
+{{- if index .Values "stac-auth-proxy" "enabled" }}
+{{- if index .Values "stac-auth-proxy" "initContainers" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-stac-auth-proxy-patch
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "eoapi.labels" . | nindent 4 }}
+rules:
+- apiGroups: ["apps"]
+  resources: ["deployments"]
+  verbs: ["get", "patch"]
+  resourceNames:
+    - {{ .Release.Name }}-stac-auth-proxy
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Release.Name }}-stac-auth-proxy-patch
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "eoapi.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "eoapi.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-stac-auth-proxy-patch
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end }}

charts/eoapi/templates/core/stac-auth-proxy-patch.yaml

@@ -0,0 +1,54 @@
+{{- if index .Values "stac-auth-proxy" "enabled" }}
+{{- if index .Values "stac-auth-proxy" "initContainers" }}
+# NOTE: This hook patches the stac-auth-proxy deployment to add initContainers.
+# Since Helm hooks run AFTER all resources (including subcharts) are installed,
+# the deployment will start once without initContainers, then be patched and rolled out.
+# This is a temporary workaround until upstream stac-auth-proxy chart adds native initContainers support.
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Release.Name }}-stac-auth-proxy-patch
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "eoapi.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: "post-install,post-upgrade"
+    helm.sh/hook-weight: "5"
+    helm.sh/hook-delete-policy: "before-hook-creation,hook-succeeded"
+spec:
+  template:
+    metadata:
+      labels:
+        {{- include "eoapi.labels" . | nindent 8 }}
+    spec:
+      restartPolicy: Never
+      serviceAccountName: {{ include "eoapi.serviceAccountName" . }}
+      containers:
+      - name: patch-deployment
+        image: bitnami/kubectl:latest
+        imagePullPolicy: IfNotPresent
+        command:
+        - /bin/bash
+        - -c
+        - |
+          set -e
+          DEPLOYMENT_NAME="{{ .Release.Name }}-stac-auth-proxy"
+          NAMESPACE="{{ .Release.Namespace }}"
+          echo "Waiting for deployment $DEPLOYMENT_NAME..."
+          for i in {1..30}; do
+            kubectl get deployment "$DEPLOYMENT_NAME" -n "$NAMESPACE" &>/dev/null && break
+            sleep 2
+          done
+          EXISTING_INIT=$(kubectl get deployment "$DEPLOYMENT_NAME" -n "$NAMESPACE" -o jsonpath='{.spec.template.spec.initContainers}' 2>/dev/null || echo "")
+          if [ -n "$EXISTING_INIT" ] && [ "$EXISTING_INIT" != "null" ]; then
+            echo "Deployment already has initContainers, skipping"
+            exit 0
+          fi
+          echo "Patching deployment with initContainers..."
+          INIT_CONTAINERS_JSON='{{ index .Values "stac-auth-proxy" "initContainers" | toJson }}'
+          kubectl patch deployment "$DEPLOYMENT_NAME" -n "$NAMESPACE" --type='json' -p="[{\"op\":\"add\",\"path\":\"/spec/template/spec/initContainers\",\"value\":$INIT_CONTAINERS_JSON}]"
+          echo "Waiting for rollout..."
+          kubectl rollout status deployment/"$DEPLOYMENT_NAME" -n "$NAMESPACE" --timeout=300s
+  backoffLimit: 2
+{{- end }}
+{{- end }}