parcelLab · jmpalomares · Apr 27, 2026 · Apr 24, 2026 · Apr 24, 2026 · Apr 24, 2026
@@ -2,7 +2,7 @@ apiVersion: v2
 name: common
 description: A Helm chart library for parcelLab charts
 type: library
-version: 1.3.6
+version: 1.3.7
 maintainers:
   - name: parcelLab
     email: engineering@parcellab.com
@@ -26,6 +26,8 @@
 {{- $globalJwtProviderName := $security.jwtProviderName -}}
 {{- $globalJwksURI := $security.jwksURI -}}
 {{- $globalAnnotations := default (dict) $security.annotations -}}
+{{- $globalPassThroughAuthHeader := $security.passThroughAuthHeader -}}
+{{- $globalRefreshToken := $security.refreshToken -}}
 
 {{ range $policyIndex, $policy := $policies }}
 {{- $policyName := required (printf "envoy.security.policies[%d].name is required" $policyIndex) $policy.name -}}
@@ -42,6 +44,18 @@
 {{- $jwksURI := coalesce $policy.jwksURI $globalJwksURI (printf "%s/protocol/openid-connect/certs" $issuer) -}}
 {{- $backendRefs := coalesce $policy.backendRefs $security.backendRefs -}}
 {{- $annotations := merge (default (dict) $policy.annotations) $globalAnnotations -}}
+{{- $passThroughAuthHeader := true -}}
+{{- if and (hasKey $policy "passThroughAuthHeader") (ne $policy.passThroughAuthHeader nil) -}}
+  {{- $passThroughAuthHeader = $policy.passThroughAuthHeader -}}
+{{- else if and (hasKey $security "passThroughAuthHeader") (ne $globalPassThroughAuthHeader nil) -}}
+  {{- $passThroughAuthHeader = $globalPassThroughAuthHeader -}}
+{{- end -}}
+{{- $refreshToken := true -}}
+{{- if and (hasKey $policy "refreshToken") (ne $policy.refreshToken nil) -}}
+  {{- $refreshToken = $policy.refreshToken -}}
+{{- else if and (hasKey $security "refreshToken") (ne $globalRefreshToken nil) -}}
+  {{- $refreshToken = $globalRefreshToken -}}
+{{- end -}}
 {{- $targetRef := $policy.targetRef -}}
 {{- $targetRefs := $policy.targetRefs -}}
 {{- $rawSelectors := list -}}
@@ -104,7 +118,8 @@ spec:
     {{- end }}
     cookieDomain: {{ $cookieDomain | quote }}
     forwardAccessToken: true
-    passThroughAuthHeader: true
+    passThroughAuthHeader: {{ $passThroughAuthHeader }}
+    refreshToken: {{ $refreshToken }}
   jwt:
     optional: false
     providers:

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: microservice
 description: Simple microservice
-version: 0.5.6
+version: 0.5.7
 dependencies:
   - name: common
     version: "*"

@@ -116,6 +116,8 @@ envoy:
     # redirectURL: "https://my-app.example.com/oauth2/callback"
     # cookieDomain: "my-app.example.com"
     # annotations: {}          # optional: annotations applied to all SecurityPolicy resources
+    # passThroughAuthHeader: true   # optional: default true. Set false to reject unauthenticated requests at the gateway instead of forwarding the incoming Authorization header to the backend.
+    # refreshToken: true            # optional: default true. Keep the OIDC session alive via refresh tokens.
     # scopes:
     #   - profile
     #   - email

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: monolith
 description: Application that may define multiple services and cronjobs
-version: 0.5.7
+version: 0.5.8
 dependencies:
   - name: common
     version: "*"

@@ -145,6 +145,8 @@ envoy:
     # redirectURL: "https://my-app.example.com/oauth2/callback"
     # cookieDomain: "my-app.example.com"
     # annotations: {}          # optional: annotations applied to all SecurityPolicy resources
+    # passThroughAuthHeader: true   # optional: default true. Set false to reject unauthenticated requests at the gateway instead of forwarding the incoming Authorization header to the backend.
+    # refreshToken: true            # optional: default true. Keep the OIDC session alive via refresh tokens.
     # scopes:
     #   - profile
     #   - email