developmentseed · pantierra · Dec 15, 2025 · Dec 15, 2025 · Dec 19, 2025 · Dec 19, 2025
diff --git a/.github/workflows/stac-browser.yml b/.github/workflows/stac-browser.yml
@@ -5,18 +5,14 @@ on:
     types: [released]
   workflow_dispatch:
     inputs:
-      TAG_NAME:
-        description: "Tag name for this image"
-        required: true
-        default: "eoapi-k8s-stac-browser"
       STAC_BROWSER_VERSION:
-        description: "STAC Browser version to build (e.g. v3.3.4)"
+        description: "STAC Browser version to build (e.g. v4.0.0)"
         required: true
-        default: "v3.3.4"
+        default: "v4.0.0"
 
 env:
   REGISTRY: ghcr.io
-  TAG_NAME: ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }}
+  STAC_BROWSER_VERSION: ${{ github.event.inputs.STAC_BROWSER_VERSION || github.event.release.tag_name }}
 
 jobs:
   build-and-push:
@@ -28,12 +24,12 @@ jobs:
         uses: actions/checkout@v6
         with:
           repository: radiantearth/stac-browser
-          ref: ${{ github.event.inputs.STAC_BROWSER_VERSION }}
+          ref: ${{ env.STAC_BROWSER_VERSION }}
 
       - name: Set environment variables
         run: |
           {
-            echo "VERSION=${TAG_NAME#v}"
+            echo "VERSION=${STAC_BROWSER_VERSION#v}"
             echo "IMAGE_NAME=$REGISTRY/${GITHUB_REPOSITORY,,}/stac-browser"
             echo "COMMITED_AT=$(git show -s --format=%cI "$(git rev-parse HEAD)")"
             echo "REVISION=$(git rev-parse --short HEAD)"
@@ -49,7 +45,8 @@ jobs:
             org.opencontainers.image.version=v${{ env.VERSION }}
             org.opencontainers.image.maintainer=${{ github.repository_owner }}
           tags: |
-            type=semver,pattern={{version}},value=v${{ env.VERSION }}
+            type=raw,value=${{ env.VERSION }}
+            type=raw,value=latest
 
       - name: Log in to the GitHub container registry
         uses: docker/login-action@v3
@@ -69,5 +66,5 @@ jobs:
             pathPrefix=/browser/
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=registry,ref=${{ env.IMAGE_NAME }}:edge
+          cache-from: type=registry,ref=${{ env.IMAGE_NAME }}:latest
           cache-to: type=inline
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 - Added support for annotations on the PgSTAC bootstrap job via `pgstacBootstrap.jobAnnotations` in values.yaml [#381](https://github.com/developmentseed/eoapi-k8s/pull/381)
+- Added auth support to STAC Browser [#376](https://github.com/developmentseed/eoapi-k8s/pull/376)
 
 ### Fixed
 
@@ -20,6 +21,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Consolidated service data into one data directory [#387](https://github.com/developmentseed/eoapi-k8s/pull/387)
 
+### Dependencies
+
+- Updated STAC Browser image to version 4.0.0 [#376](https://github.com/developmentseed/eoapi-k8s/pull/376)
+
 ## [0.8.1]
 
 ### Added

diff --git a/charts/eoapi/profiles/experimental.yaml b/charts/eoapi/profiles/experimental.yaml
@@ -206,6 +206,8 @@ browser:
   enabled: true
   settings:
     resources: {}
+  # STAC Browser needs external OIDC URL (accessible from user's browser)
+  oidcDiscoveryUrl: "http://localhost/mock-oidc/.well-known/openid-configuration"
 
 docServer:
   enabled: true
@@ -385,6 +387,9 @@ mockOidcServer:
   port: 8888
   clientId: "test-client"
   clientSecret: "test-secret"
+  extraEnv:
+    - name: ISSUER
+      value: "http://localhost/mock-oidc"
   service:
     type: ClusterIP
     port: 8080
@@ -402,7 +407,6 @@ mockOidcServer:
   tolerations: []
   affinity: {}
   imagePullSecrets: []
-  extraEnv: []
 
 ######################
 # SERVICE

diff --git a/charts/eoapi/templates/core/rbac.yaml b/charts/eoapi/templates/core/rbac.yaml
@@ -2,9 +2,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: eoapi-role-{{ $.Release.Name }}
+  name: eoapi-role-{{ .Release.Name }}
   labels:
-    app: eoapi-{{ $.Release.Name }}
+    app: eoapi-{{ .Release.Name }}
 rules:
 - apiGroups: ["batch"]
   resources: ["jobs"]
@@ -14,9 +14,9 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: eoapi-cluster-role-{{ $.Release.Name }}
+  name: eoapi-cluster-role-{{ .Release.Name }}
   labels:
-    app: eoapi-{{ $.Release.Name }}
+    app: eoapi-{{ .Release.Name }}
 rules:
 # CRD management for Knative operator installation
 - apiGroups: ["apiextensions.k8s.io"]
@@ -50,32 +50,32 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: eoapi-cluster-rolebinding-{{ $.Release.Name }}
+  name: eoapi-cluster-rolebinding-{{ .Release.Name }}
   labels:
-    app: eoapi-{{ $.Release.Name }}
+    app: eoapi-{{ .Release.Name }}
 subjects:
 - kind: ServiceAccount
   name: {{ include "eoapi.serviceAccountName" . }}
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
 roleRef:
   kind: ClusterRole
-  name: eoapi-cluster-role-{{ $.Release.Name }}
+  name: eoapi-cluster-role-{{ .Release.Name }}
   apiGroup: rbac.authorization.k8s.io
 ---
 {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: eoapi-rolebinding-{{ $.Release.Name }}
+  name: eoapi-rolebinding-{{ .Release.Name }}
   labels:
-    app: eoapi-{{ $.Release.Name }}
+    app: eoapi-{{ .Release.Name }}
 subjects:
 - kind: ServiceAccount
   name: {{ include "eoapi.serviceAccountName" . }}
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
 roleRef:
   kind: Role
-  name: eoapi-role-{{ $.Release.Name }}
+  name: eoapi-role-{{ .Release.Name }}
   apiGroup: rbac.authorization.k8s.io
 {{- end }}
diff --git a/charts/eoapi/templates/database/pgstacbootstrap/configmap.yaml b/charts/eoapi/templates/database/pgstacbootstrap/configmap.yaml
@@ -6,23 +6,23 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ $.Release.Name }}-pgstac-settings-config
+  name: {{ .Release.Name }}-pgstac-settings-config
   annotations:
     helm.sh/hook: "post-install,post-upgrade"
     helm.sh/hook-weight: "-7"
     helm.sh/hook-delete-policy: "before-hook-creation,hook-succeeded"
 data:
   pgstac-settings.sql: |
-    {{- tpl ($.Files.Get "data/initdb/settings/pgstac-settings.sql.tpl") $ | nindent 4 }}
+    {{- tpl (.Files.Get "data/initdb/settings/pgstac-settings.sql.tpl") . | nindent 4 }}
     {{- if (index .Values "eoapi-notifier").enabled }}
-    {{ $.Files.Get "data/initdb/settings/pgstac-notification-triggers.sql" | nindent 4 }}
+    {{ .Files.Get "data/initdb/settings/pgstac-notification-triggers.sql" | nindent 4 }}
     {{- end }}
 ---
 {{- if .Values.pgstacBootstrap.settings.loadSamples }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ $.Release.Name }}-initdb-sql-config
+  name: {{ .Release.Name }}-initdb-sql-config
   annotations:
     helm.sh/hook: "post-install,post-upgrade"
     helm.sh/hook-weight: "-7"
@@ -36,7 +36,7 @@ data:
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ $.Release.Name }}-initdb-json-config
+  name: {{ .Release.Name }}-initdb-json-config
   annotations:
     helm.sh/hook: "post-install,post-upgrade"
     helm.sh/hook-weight: "-7"
@@ -58,7 +58,7 @@ data:
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ $.Release.Name }}-pgstac-queryables-config
+  name: {{ .Release.Name }}-pgstac-queryables-config
   annotations:
     helm.sh/hook: "post-install,post-upgrade"
     helm.sh/hook-weight: "-7"

diff --git a/charts/eoapi/templates/database/pgstacbootstrap/eoap-superuser-initdb.yaml b/charts/eoapi/templates/database/pgstacbootstrap/eoap-superuser-initdb.yaml
@@ -47,27 +47,27 @@ spec:
             - name: PGUSER
               valueFrom:
                 secretKeyRef:
-                  name: {{ $.Values.postgrescluster.name | default $.Release.Name }}-pguser-postgres
+                  name: {{ .Values.postgrescluster.name | default .Release.Name }}-pguser-postgres
                   key: user
             - name: PGPORT
               valueFrom:
                 secretKeyRef:
-                  name: {{ $.Values.postgrescluster.name | default $.Release.Name }}-pguser-postgres
+                  name: {{ .Values.postgrescluster.name | default .Release.Name }}-pguser-postgres
                   key: port
             - name: PGHOST
               valueFrom:
                 secretKeyRef:
-                  name: {{ $.Values.postgrescluster.name | default $.Release.Name }}-pguser-postgres
+                  name: {{ .Values.postgrescluster.name | default .Release.Name }}-pguser-postgres
                   key: host
             - name: PGPASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: {{ $.Values.postgrescluster.name | default $.Release.Name }}-pguser-postgres
+                  name: {{ .Values.postgrescluster.name | default .Release.Name }}-pguser-postgres
                   key: password
             - name: PGDATABASE
               valueFrom:
                 secretKeyRef:
-                  name: {{ $.Values.postgrescluster.name | default $.Release.Name }}-pguser-postgres
+                  name: {{ .Values.postgrescluster.name | default .Release.Name }}-pguser-postgres
                   key: dbname
       volumes:
         - name: {{ .Release.Name }}-initdb-config

diff --git a/...templates/networking/ingress-browser.yaml → ...mplates/networking/ingress-no-prefix.yaml b/...templates/networking/ingress-browser.yaml → ...mplates/networking/ingress-no-prefix.yaml
@@ -1,5 +1,4 @@
-# We need a separate ingress because browser has the prefix /browser hardcoded in the code
-{{- if and .Values.browser.enabled .Values.ingress.enabled (or (not (hasKey .Values.browser "ingress")) .Values.browser.ingress.enabled) }}
+{{- if and .Values.ingress.enabled (or (and .Values.stac.enabled (or (not (hasKey .Values.stac "ingress")) .Values.stac.ingress.enabled)) (and .Values.browser.enabled (or (not (hasKey .Values.browser "ingress")) .Values.browser.ingress.enabled))) }}
 {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion }}
 apiVersion: networking.k8s.io/v1
 {{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion }}
@@ -9,21 +8,20 @@ apiVersion: extensions/v1beta1
 {{- end }}
 kind: Ingress
 metadata:
-  name: {{ .Release.Name }}-ingress-browser
+  name: {{ .Release.Name }}-ingress-no-prefix
   labels:
-    app: {{ .Release.Name }}-ingress-browser
+    app: {{ .Release.Name }}-ingress-no-prefix
   annotations:
     {{- if .Values.ingress.annotations }}
 {{ toYaml .Values.ingress.annotations | indent 4 }}
     {{- end }}
-    {{- if eq .Values.ingress.className "nginx" }}
-    nginx.ingress.kubernetes.io/rewrite-target: /browser/$2
-    nginx.ingress.kubernetes.io/use-regex: "true"
-    {{- end }}
-    # Temporary annotations for Traefik until uvicorn support real prefix in ASGI: https://github.com/encode/uvicorn/discussions/2490
+    # Services handle their own path manipulation - no stripPrefix middleware
     {{- if eq .Values.ingress.className "traefik" }}
     traefik.ingress.kubernetes.io/router.entrypoints: web
-    traefik.ingress.kubernetes.io/router.middlewares: {{ $.Release.Namespace }}-{{ $.Release.Name }}-strip-prefix-middleware@kubernetescrd
+    {{- end }}
+    {{- if eq .Values.ingress.className "nginx" }}
+    nginx.ingress.kubernetes.io/rewrite-target: /$2
+    nginx.ingress.kubernetes.io/use-regex: "true"
     {{- end }}
 spec:
   {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
@@ -35,12 +33,26 @@ spec:
     - host: {{ . }}
       http:
         paths:
+          {{- if and $.Values.stac.enabled (or (not (hasKey $.Values.stac "ingress")) $.Values.stac.ingress.enabled) }}
+          - pathType: {{ if eq $.Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }}
+            path: {{ $.Values.stac.ingress.path }}{{ if eq $.Values.ingress.className "nginx" }}(/|$)(.*){{ end }}
+            backend:
+              service:
+                {{- if index $.Values "stac-auth-proxy" "enabled" }}
+                name: {{ $.Release.Name }}-stac-auth-proxy
+                {{- else }}
+                name: {{ $.Release.Name }}-stac
+                {{- end }}
+                port:
+                  number: {{ $.Values.service.port }}
+          {{- end }}
+
           {{- if and $.Values.browser.enabled (or (not (hasKey $.Values.browser "ingress")) $.Values.browser.ingress.enabled) }}
           - pathType: {{ if eq $.Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }}
-            path: "/browser{{ if eq $.Values.ingress.className "nginx" }}(/|$)(.*){{ end }}"
+            path: "{{ $.Values.browser.ingress.path | default "/browser" }}{{ if eq $.Values.ingress.className "nginx" }}(/|$)(.*){{ end }}"
             backend:
               service:
-                name: {{ .Release.Name }}-browser
+                name: {{ $.Release.Name }}-browser
                 port:
                   number: 8080
           {{- end }}
@@ -51,9 +63,23 @@ spec:
       {{- end }}
       http:
         paths:
+          {{- if and .Values.stac.enabled (or (not (hasKey .Values.stac "ingress")) .Values.stac.ingress.enabled) }}
+          - pathType: {{ if eq .Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }}
+            path: {{ .Values.stac.ingress.path }}{{ if eq .Values.ingress.className "nginx" }}(/|$)(.*){{ end }}
+            backend:
+              service:
+                {{- if index .Values "stac-auth-proxy" "enabled" }}
+                name: {{ .Release.Name }}-stac-auth-proxy
+                {{- else }}
+                name: {{ .Release.Name }}-stac
+                {{- end }}
+                port:
+                  number: {{ .Values.service.port }}
+          {{- end }}
+
           {{- if and .Values.browser.enabled (or (not (hasKey .Values.browser "ingress")) .Values.browser.ingress.enabled) }}
           - pathType: {{ if eq .Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }}
-            path: "/browser{{ if eq .Values.ingress.className "nginx" }}(/|$)(.*){{ end }}"
+            path: "{{ .Values.browser.ingress.path | default "/browser" }}{{ if eq .Values.ingress.className "nginx" }}(/|$)(.*){{ end }}"
             backend:
               service:
                 name: {{ .Release.Name }}-browser

diff --git a/charts/eoapi/templates/networking/ingress.yaml b/charts/eoapi/templates/networking/ingress.yaml
@@ -19,10 +19,10 @@ metadata:
     {{- if .Values.ingress.annotations }}
 {{ toYaml .Values.ingress.annotations | indent 4 }}
     {{- end }}
-    # Temporary annotations for Traefik until uvicorn support real prefix in ASGI: https://github.com/encode/uvicorn/discussions/2490
+    # Traefik stripPrefix middleware for services that need path stripping (excludes STAC)
     {{- if eq .Values.ingress.className "traefik" }}
     traefik.ingress.kubernetes.io/router.entrypoints: web
-    traefik.ingress.kubernetes.io/router.middlewares: {{ $.Release.Namespace }}-{{ $.Release.Name }}-strip-prefix-middleware@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: {{ .Release.Namespace }}-{{ .Release.Name }}-strip-prefix-middleware@kubernetescrd
     {{- end }}
 spec:
   {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
@@ -44,19 +44,7 @@ spec:
                   number: {{ $.Values.service.port }}
           {{- end }}
 
-          {{- if and $.Values.stac.enabled (or (not (hasKey $.Values.stac "ingress")) $.Values.stac.ingress.enabled) }}
-          - pathType: {{ if eq $.Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }}
-            path: {{ $.Values.stac.ingress.path }}{{ if eq $.Values.ingress.className "nginx" }}(/|$)(.*){{ end }}
-            backend:
-              service:
-                {{- if index $.Values "stac-auth-proxy" "enabled" }}
-                name: {{ $.Release.Name }}-stac-auth-proxy
-                {{- else }}
-                name: {{ $.Release.Name }}-stac
-                {{- end }}
-                port:
-                  number: {{ $.Values.service.port }}
-          {{- end }}
+
 
           {{- if and $.Values.vector.enabled (or (not (hasKey $.Values.vector "ingress")) $.Values.vector.ingress.enabled) }}
           - pathType: {{ if eq $.Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }}
@@ -114,19 +102,7 @@ spec:
                   number: {{ .Values.service.port }}
           {{- end }}
 
-          {{- if and .Values.stac.enabled (or (not (hasKey .Values.stac "ingress")) .Values.stac.ingress.enabled) }}
-          - pathType: {{ if eq .Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }}
-            path: {{ .Values.stac.ingress.path }}{{ if eq .Values.ingress.className "nginx" }}(/|$)(.*){{ end }}
-            backend:
-              service:
-                {{- if index .Values "stac-auth-proxy" "enabled" }}
-                name: {{ .Release.Name }}-stac-auth-proxy
-                {{- else }}
-                name: {{ .Release.Name }}-stac
-                {{- end }}
-                port:
-                  number: {{ .Values.service.port }}
-          {{- end }}
+
 
           {{- if and .Values.vector.enabled (or (not (hasKey .Values.vector "ingress")) .Values.vector.ingress.enabled) }}
           - pathType: {{ if eq .Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }}
@@ -160,7 +136,7 @@ spec:
 
           {{- if .Values.docServer.enabled }}
           - pathType: Prefix
-            path: "/{{ $.Values.ingress.rootPath | default "" }}"
+            path: "/{{ .Values.ingress.rootPath | default "" }}"
             backend:
               service:
                 name: {{ .Release.Name }}-doc-server