NVIDIA · vvnpn-nv · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026 · Apr 1, 2026
@@ -305,6 +305,9 @@ Authorization sidecar container
   imagePullPolicy: {{ .Values.sidecars.authz.imagePullPolicy }}
   args:
     - "--grpc-port={{ .Values.sidecars.authz.grpcPort }}"
+    {{- if .Values.services.configs.enabled }}
+    - "--roles-file=/etc/osmo/configs/config.yaml"
+    {{- else }}
     - "--postgres-host={{ .Values.services.postgres.serviceName }}"
     - "--postgres-port={{ .Values.services.postgres.port }}"
     - "--postgres-database={{ .Values.services.postgres.db }}"
@@ -313,6 +316,7 @@ Authorization sidecar container
     - "--postgres-max-conns={{ .Values.sidecars.authz.postgres.maxConns }}"
     - "--postgres-min-conns={{ .Values.sidecars.authz.postgres.minConns }}"
     - "--postgres-max-conn-lifetime={{ .Values.sidecars.authz.postgres.maxConnLifetimeMin }}"
+    {{- end }}
     - "--cache-ttl={{ .Values.sidecars.authz.cache.ttl }}"
     - "--cache-max-size={{ .Values.sidecars.authz.cache.maxSize }}"
     {{- if .Values.global.logs.enabled }}
@@ -340,11 +344,16 @@ Authorization sidecar container
           name: redis-secret
           key: redis-password
     {{- end }}
-  {{- if .Values.global.logs.enabled }}
   volumeMounts:
+  {{- if .Values.global.logs.enabled }}
     - name: logs
       mountPath: /logs
   {{- end }}
+  {{- if .Values.services.configs.enabled }}
+    - name: configs
+      mountPath: /etc/osmo/configs
+      readOnly: true
+  {{- end }}
   {{- with .Values.sidecars.authz.livenessProbe }}
   livenessProbe:
     {{- toYaml . | nindent 4 }}

@@ -36,6 +36,9 @@ spec:
         {{- end }}
       annotations:
         {{- include "osmo.extra-annotations" .Values.services.agent | nindent 8 }}
+        {{- if .Values.services.configs.enabled }}
+        checksum/configs: {{ .Values.services.configs | toYaml | sha256sum }}
+        {{- end }}
     spec:
       {{- with .Values.services.agent.hostAliases }}
       hostAliases:
@@ -214,6 +217,11 @@ spec:
         - name: logs
           emptyDir: {}
         {{- end}}
+        {{- if .Values.services.configs.enabled }}
+        - name: configs
+          configMap:
+            name: {{ .Values.services.service.serviceName }}-configs
+        {{- end }}
         {{- if .Values.services.configFile.enabled}}
         - configMap:
             defaultMode: 420

@@ -35,6 +35,9 @@ spec:
         {{- end }}
       annotations:
         checksum/envoy-config: {{ .Values.sidecars.envoy | toYaml | sha256sum }}
+        {{- if .Values.services.configs.enabled }}
+        checksum/configs: {{ .Values.services.configs | toYaml | sha256sum }}
+        {{- end }}
         {{- include "osmo.extra-annotations" .Values.services.service | nindent 8 }}
     spec:
       {{- with .Values.services.service.hostAliases }}
@@ -149,6 +152,10 @@ spec:
         - --default_admin_username
         - {{ .Values.services.defaultAdmin.username | quote }}
         {{- end }}
+        {{- if .Values.services.configs.enabled }}
+        - --config_file
+        - /etc/osmo/configs/config.yaml
+        {{- end }}
         {{- range $arg := .Values.services.service.extraArgs }}
         - {{ $arg | quote }}
         {{- end }}
@@ -192,14 +199,24 @@ spec:
         ports:
         - name: metrics
           containerPort: 9464
-        {{- if or .Values.services.configFile.enabled .Values.global.logs.enabled .Values.services.service.extraVolumeMounts }}
+        {{- if or .Values.services.configFile.enabled .Values.global.logs.enabled .Values.services.configs.enabled .Values.services.service.extraVolumeMounts }}
         volumeMounts:
         {{- end }}
         {{- if .Values.services.configFile.enabled}}
         - mountPath: {{ .Values.services.configFile.path }}
           name: mek-volume
           subPath: mek.yaml
         {{- end }}
+        {{- if .Values.services.configs.enabled }}
+        - name: configs
+          mountPath: /etc/osmo/configs
+          readOnly: true
+        {{- range .Values.services.configs.secretRefs }}
+        - name: secret-{{ .secretName }}
+          mountPath: /etc/osmo/secrets/{{ .secretName }}
+          readOnly: true
+        {{- end }}
+        {{- end }}
         {{- if .Values.global.logs.enabled }}
         - name: logs
           mountPath: /logs
@@ -262,6 +279,16 @@ spec:
             name: mek-config
           name: mek-volume
         {{- end}}
+        {{- if .Values.services.configs.enabled }}
+        - name: configs
+          configMap:
+            name: {{ .Values.services.service.serviceName }}-configs
+        {{- range .Values.services.configs.secretRefs }}
+        - name: secret-{{ .secretName }}
+          secret:
+            secretName: {{ .secretName }}
+        {{- end }}
+        {{- end }}
 ---
 {{- if .Values.sidecars.envoy.enabled }}
 

@@ -0,0 +1,70 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+{{- if .Values.services.configs.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.services.service.serviceName }}-configs
+  labels:
+    app: {{ .Values.services.service.serviceName }}
+data:
+  config.yaml: |
+    {{- $cfg := .Values.services.configs }}
+    {{- if $cfg.service }}
+    service:
+      {{- $service := deepCopy $cfg.service }}
+      {{- if and (not (index $service "service_base_url")) .Values.services.service.hostname }}
+      {{- $_ := set $service "service_base_url" (printf "https://%s" .Values.services.service.hostname) }}
+      {{- end }}
+      {{- toYaml $service | nindent 6 }}
+    {{- end }}
+    {{- if $cfg.workflow }}
+    workflow:
+      {{- toYaml $cfg.workflow | nindent 6 }}
+    {{- end }}
+    {{- if $cfg.dataset }}
+    dataset:
+      {{- toYaml $cfg.dataset | nindent 6 }}
+    {{- end }}
+    {{- if $cfg.pools }}
+    pools:
+      {{- toYaml $cfg.pools | nindent 6 }}
+    {{- end }}
+    {{- if $cfg.podTemplates }}
+    pod_templates:
+      {{- toYaml $cfg.podTemplates | nindent 6 }}
+    {{- end }}
+    {{- if $cfg.resourceValidations }}
+    resource_validations:
+      {{- toYaml $cfg.resourceValidations | nindent 6 }}
+    {{- end }}
+    {{- if $cfg.backends }}
+    backends:
+      {{- toYaml $cfg.backends | nindent 6 }}
+    {{- end }}
+    {{- if $cfg.backendTests }}
+    backend_tests:
+      {{- toYaml $cfg.backendTests | nindent 6 }}
+    {{- end }}
+    {{- if $cfg.groupTemplates }}
+    group_templates:
+      {{- toYaml $cfg.groupTemplates | nindent 6 }}
+    {{- end }}
+    {{- if $cfg.roles }}
+    roles:
+      {{- toYaml $cfg.roles | nindent 6 }}
+    {{- end }}
+{{- end }}
@@ -36,6 +36,9 @@ spec:
         {{- end }}
       annotations:
         {{- include "osmo.extra-annotations" .Values.services.logger | nindent 8 }}
+        {{- if .Values.services.configs.enabled }}
+        checksum/configs: {{ .Values.services.configs | toYaml | sha256sum }}
+        {{- end }}
     spec:
       {{- with .Values.services.logger.hostAliases }}
       hostAliases:
@@ -206,6 +209,11 @@ spec:
         - name: logs
           emptyDir: {}
         {{- end}}
+        {{- if .Values.services.configs.enabled }}
+        - name: configs
+          configMap:
+            name: {{ .Values.services.service.serviceName }}-configs
+        {{- end }}
         {{- if .Values.services.configFile.enabled}}
         - configMap:
             defaultMode: 420