silogen · johnl-amd · May 11, 2026 · May 12, 2026 · May 12, 2026 · May 12, 2026
@@ -293,6 +293,9 @@ apps:
     path: cluster-auth/0.5.9
     syncWave: -25
     valuesFile: values.yaml
+    valuesObject:
+      additionalSecurityPolicyNamespaces:
+        - workbench
   cluster-auth-config:
     ignoreDifferences:
       - group: external-secrets.io
@@ -576,12 +579,49 @@ apps:
         requests:
           cpu: "250m"
           memory: "512Mi"
+  inference-extension-crds:
+    namespace: default
+    path: inference-extension-crds/v1.5.0
+    syncWave: -35
   envoy-gateway:
     namespace: envoy-gateway-system
     path: envoy-gateway/v1.7.1
     syncWave: -30
     valuesObject:
       kubernetesClusterDomain: cluster.local
+      config:
+        envoyGateway:
+          extensionApis:
+            # Required for AI Gateway Backend CRD references to be accepted.
+            enableBackend: true
+          # Registers the AI Gateway controller as an xDS extension server.
+          # Without this, Envoy Gateway does not inject the ext_proc HTTP filter
+          # into the listener, so token metadata fields stay null in access logs.
+          extensionManager:
+            resources:
+              - group: aigateway.envoyproxy.io
+                version: v1beta1
+                kind: AIGatewayRoute
+              - group: aigateway.envoyproxy.io
+                version: v1beta1
+                kind: AIServiceBackend
+            backendResources:
+              - group: inference.networking.k8s.io
+                version: v1
+                kind: InferencePool
+            hooks:
+              xdsTranslator:
+                post:
+                  - Cluster
+                  - Translation
+            service:
+              host: ai-gateway-controller.envoy-ai-gateway-system.svc.cluster.local
+              port: 1063
+              tls:
+                certificateRef:
+                  kind: Secret
+                  name: self-signed-cert-for-mutating-webhook
+                  namespace: envoy-ai-gateway-system
   envoy-gateway-config:
     helmParameters:
       - name: domain
@@ -590,6 +630,20 @@ apps:
     path: envoy-gateway-config
     syncWave: -15
     valuesFile: values.yaml
+  envoy-ai-gateway-crds:
+    namespace: envoy-ai-gateway-system
+    path: envoy-ai-gateway-crds/v0.6.0
+    syncWave: -10
+  envoy-ai-gateway:
+    namespace: envoy-ai-gateway-system
+    path: envoy-ai-gateway/v0.6.0
+    syncWave: -5
+    valuesObject:
+      controller:
+        mcp:
+          sessionEncryption:
+            # Must be overridden per deployment with a secure random string.
+            seed: "cluster-forge-default-seed-override-in-production"
   kserve:
     namespace: kserve-system
     path: kserve/v0.16.0

@@ -20,8 +20,11 @@ enabledApps:
   - cnpg-operator
   - external-secrets
   - external-secrets-config
+  - inference-extension-crds
   - envoy-gateway
   - envoy-gateway-config
+  - envoy-ai-gateway-crds
+  - envoy-ai-gateway
   - gitea
   - gitea-config
   - kaiwo

@@ -22,8 +22,11 @@ enabledApps:
   - cnpg-operator
   - external-secrets
   - external-secrets-config
+  - inference-extension-crds
   - envoy-gateway
   - envoy-gateway-config
+  - envoy-ai-gateway-crds
+  - envoy-ai-gateway
   - gitea
   - gitea-config
   - kaiwo

@@ -20,8 +20,11 @@ enabledApps:
   - cnpg-operator
   - external-secrets
   - external-secrets-config
+  - inference-extension-crds
   - envoy-gateway
   - envoy-gateway-config
+  - envoy-ai-gateway-crds
+  - envoy-ai-gateway
   - gitea
   - gitea-config
   - kaiwo

@@ -59,7 +59,7 @@ components:
     licenseUrl: https://github.com/silogen/cluster-forge/blob/main/LICENSE
   aiwb:
     path: null
-    repoVersion: 1.1.9
+    repoVersion: 2.0.0-rc.1
     valuesFile: values.yaml
     sourceUrl: oci://registry-1.docker.io/amdenterpriseai/aiwb-chart
     projectUrl: https://github.com/silogen/aiwb
@@ -119,6 +119,24 @@ components:
     projectUrl: https://github.com/cloudnative-pg/cloudnative-pg
     license: Apache License 2.0
     licenseUrl: https://github.com/cloudnative-pg/cloudnative-pg/blob/main/LICENSE
+  envoy-ai-gateway:
+    path: envoy-ai-gateway/v0.6.0
+    sourceUrl: https://github.com/envoyproxy/ai-gateway
+    projectUrl: https://github.com/envoyproxy/ai-gateway
+    license: Apache License 2.0
+    licenseUrl: https://github.com/envoyproxy/ai-gateway/blob/main/LICENSE
+  inference-extension-crds:
+    path: inference-extension-crds/v1.5.0
+    sourceUrl: https://github.com/kubernetes-sigs/gateway-api-inference-extension
+    projectUrl: https://github.com/kubernetes-sigs/gateway-api-inference-extension
+    license: Apache License 2.0
+    licenseUrl: https://github.com/kubernetes-sigs/gateway-api-inference-extension/blob/main/LICENSE
+  envoy-ai-gateway-crds:
+    path: envoy-ai-gateway-crds/v0.6.0
+    sourceUrl: https://github.com/envoyproxy/ai-gateway
+    projectUrl: https://github.com/envoyproxy/ai-gateway
+    license: Apache License 2.0
+    licenseUrl: https://github.com/envoyproxy/ai-gateway/blob/main/LICENSE
   envoy-gateway:
     path: envoy-gateway/v1.7.1
     sourceUrl: oci://docker.io/envoyproxy/gateway-helm

@@ -92,6 +92,34 @@ rules:
   resources: ["inferenceservices"]
   verbs: ["get", "list"]
 
+# Envoy Gateway resources (for per-AIM dynamic routing and API key auth)
+- apiGroups: ["gateway.envoyproxy.io"]
+  resources: ["backends", "securitypolicies"]
+  verbs: ["get", "list", "create", "update", "patch", "delete"]
+- apiGroups: ["aigateway.envoyproxy.io"]
+  resources: ["aiservicebackends", "aigatewayroutes"]
+  verbs: ["get", "list", "create", "update", "patch", "delete"]
+
+# InferencePool + InferenceObjective (for EPP-based replica-aware routing)
+- apiGroups: ["inference.networking.k8s.io"]
+  resources: ["inferencepools"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]
+- apiGroups: ["inference.networking.x-k8s.io"]
+  resources: ["inferenceobjectives"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]
+# EPP Role grants watch on x-k8s.io/inferencepools too — AIWB must hold it to be able to grant it
+- apiGroups: ["inference.networking.x-k8s.io"]
+  resources: ["inferencepools"]
+  verbs: ["get", "list", "watch"]
+
+# ServiceAccount + RBAC (for per-AIM EPP identity and permissions)
+- apiGroups: [""]
+  resources: ["serviceaccounts"]
+  verbs: ["get", "list", "create", "update", "patch", "delete", "deletecollection"]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["roles", "rolebindings"]
+  verbs: ["get", "list", "create", "update", "patch", "delete", "deletecollection"]
+
 # PVC access (read-only)
 - apiGroups: [""]
   resources: ["persistentvolumeclaims"]

@@ -13,6 +13,10 @@ namespace:
   name: cluster-auth
   create: true
 
+# Additional namespaces whose SecurityPolicies are allowed to reference the cluster-auth service.
+# Needed when per-AIM SecurityPolicies are created in workload namespaces (e.g., workbench).
+additionalSecurityPolicyNamespaces: []
+
 existingSecret: "cluster-auth-secrets"
 
 service:

@@ -0,0 +1,20 @@
+apiVersion: v2
+appVersion: v0.6.0
+description: The Helm chart for Envoy AI Gateway CRD
+home: https://aigateway.envoyproxy.io/
+icon: https://raw.githubusercontent.com/envoyproxy/ai-gateway/refs/heads/main/site/static/img/logo.svg
+keywords:
+- gateway-api
+- envoyproxy
+- envoy-gateway
+- eg
+- ai-gateway
+- ai
+maintainers:
+- name: envoy-ai-gateway-maintainers
+  url: https://github.com/envoyproxy/ai-gateway/blob/main/CODEOWNERS
+name: ai-gateway-crds-helm
+sources:
+- https://github.com/envoyproxy/ai-gateway
+type: application
+version: v0.6.0