calypr · matthewpeterkort · Mar 4, 2026 · Mar 11, 2026 · Mar 31, 2026 · Mar 31, 2026
diff --git a/helm/gecko/files/init-data/nav.json b/helm/gecko/files/init-data/nav.json
@@ -74,9 +74,9 @@
         "perms": null
       },
       {
-        "title": "GraphQL Query",
+        "title": "GraphQL Query Editor",
         "description": "Query graph databases via a web interface",
-        "icon": "/icons/query.svg",
+        "icon": "/icons/layers-intersect.svg",
         "href": "/Query",
         "perms": null
       }

diff --git a/helm/gen3/Chart.yaml b/helm/gen3/Chart.yaml
@@ -114,6 +114,10 @@ dependencies:
 - name: qdrant
   version: 1.15.4
   repository: "https://qdrant.github.io/qdrant-helm"
+- name: syfon
+  version: 0.1.0
+  repository: "file://../syfon"
+  condition: syfon.enabled
 
 # A chart can be either an 'application' or a 'library' chart.
 #

diff --git a/helm/revproxy/gen3.nginx.conf/drs-server-service.conf b/helm/revproxy/gen3.nginx.conf/drs-server-service.conf
@@ -0,0 +1,94 @@
+# Shared upstream
+set $drs_upstream http://drs-server$des_domain:8080;
+
+# GA4GH DRS
+location ^~ /ga4gh/ {
+    if ($csrf_check !~ ^ok-\S.+$) {
+     return 403 "failed csrf check";
+    }
+
+    set $proxy_service "drs-server";
+    proxy_pass $drs_upstream;
+    proxy_redirect http://$host/ https://$host/;
+}
+
+# Index API (exact + subtree)
+location /index {
+    set $proxy_service "drs-server";
+    proxy_pass $drs_upstream;
+    proxy_redirect http://$host/ https://$host/;
+}
+
+location ^~ /index/ {
+    if ($csrf_check !~ ^ok-\S.+$) {
+     return 403 "failed csrf check";
+    }
+
+    set $proxy_service "drs-server";
+    proxy_pass $drs_upstream;
+    proxy_redirect http://$host/ https://$host/;
+}
+
+# Upload / download canonical routes
+location ^~ /upload {
+
+    set $proxy_service "drs-server";
+    proxy_pass $drs_upstream;
+    proxy_redirect http://$host/ https://$host/;
+
+    # multipart helpers
+    client_max_body_size 0;
+    proxy_request_buffering off;
+    proxy_buffering off;
+    proxy_read_timeout 3600s;
+    proxy_send_timeout 3600s;
+}
+
+location ^~ /download/ {
+    if ($csrf_check !~ ^ok-\S.+$) {
+     return 403 "failed csrf check";
+    }
+
+    set $proxy_service "drs-server";
+    proxy_pass $drs_upstream;
+    proxy_redirect http://$host/ https://$host/;
+}
+
+# Git LFS transport
+location ^~ /info/lfs/ {
+    if ($csrf_check !~ ^ok-\S.+$) {
+     return 403 "failed csrf check";
+    }
+
+    set $proxy_service "drs-server";
+    proxy_pass $drs_upstream;
+    proxy_redirect http://$host/ https://$host/;
+
+    client_max_body_size 0;
+    proxy_request_buffering off;
+    proxy_buffering off;
+    proxy_read_timeout 3600s;
+    proxy_send_timeout 3600s;
+}
+
+location ^~ /data/ {
+    if ($csrf_check !~ ^ok-\S.+$) {
+      return 403 "failed csrf check";
+    }
+
+    set $proxy_service "drs-server";
+    proxy_pass http://drs-server$des_domain:8080;
+    proxy_redirect http://$host/ https://$host/;
+
+    client_max_body_size 0;
+    proxy_request_buffering off;
+    proxy_buffering off;
+    proxy_read_timeout 3600s;
+    proxy_send_timeout 3600s;
+
+}
+
+location  /healthz {
+    set $proxy_service "drs-server";
+    proxy_pass http://drs-server$des_domain:8080;
+}
diff --git a/helm/revproxy/gen3.nginx.conf/fence-service-ga4gh.conf b/helm/revproxy/gen3.nginx.conf/fence-service-ga4gh.conf
@@ -1,10 +1,10 @@
-location ~ \/ga4gh\/drs\/v1\/objects\/(.*)\/access {
-    if ($csrf_check !~ ^ok-\S.+$) {
-      return 403 "failed csrf check";
-    }
-
-    set $proxy_service  "presigned-url-fence";
-    set $upstream http://presigned-url-fence-service$des_domain;
-    rewrite ^/user/(.*) /$1 break;
-    proxy_pass $upstream;
-}
+#location ~ \/ga4gh\/drs\/v1\/objects\/(.*)\/access {
+#    if ($csrf_check !~ ^ok-\S.+$) {
+#      return 403 "failed csrf check";
+#    }
+#
+#    set $proxy_service  "presigned-url-fence";
+#    set $upstream http://presigned-url-fence-service$des_domain;
+#    rewrite ^/user/(.*) /$1 break;
+#    proxy_pass $upstream;
+#}
diff --git a/helm/revproxy/gen3.nginx.conf/fence-service.conf b/helm/revproxy/gen3.nginx.conf/fence-service.conf
@@ -1,7 +1,4 @@
-# AuthN-proxy uses fence to provide authentication to downstream services
-# that don't implement our auth i.e. shiny, jupyter.
-# Fence also sets the REMOTE_USER header to the username
-# of the logged in user for later use
+# AuthN-proxy (unchanged)
 location /authn-proxy {
     internal;
     set $proxy_service  "fence";
@@ -12,57 +9,41 @@ location /authn-proxy {
     proxy_set_header Content-Length "";
     proxy_set_header X-Forwarded-For "$realip";
     proxy_set_header X-UserId "$userid";
-    proxy_set_header   X-ReqId "$request_id";
-    proxy_set_header   X-SessionId "$session_id";
-    proxy_set_header   X-VisitorId "$visitor_id";
-
-    # nginx bug that it checks even if request_body off
+    proxy_set_header X-ReqId "$request_id";
+    proxy_set_header X-SessionId "$session_id";
+    proxy_set_header X-VisitorId "$visitor_id";
     client_max_body_size 0;
 }
-
-location /user/ {
-    if ($csrf_check !~ ^ok-\S.+$) {
-      return 403 "failed csrf check";
-    }
-
-    set $proxy_service  "fence";
+# --------------------------------------------
+# FENCE OWNS AUTH/USER PROFILE FLOWS
+# --------------------------------------------
+location /user/register {
+    # no CSRF check at revproxy layer (as you already do)
+    set $proxy_service "fence";
     set $upstream http://fence-service$des_domain;
     rewrite ^/user/(.*) /$1 break;
     proxy_pass $upstream;
 }
 
-location /user/register {
-    # Like /user/ but without CSRF check. Registration form submission is
-    # incompatible with revproxy-level cookie-to-header CSRF check.
-    # Fence enforces its own CSRF protection here so this is OK.
-    set $proxy_service  "fence";
-    set $upstream http://fence-service$des_domain;
-    rewrite ^/user/(.*) /$1 break;
-    proxy_pass $upstream;
+location /user/metrics {
+    deny all;
 }
 
-location /user/data/download {
+# Catch-all for all other /user/* -> fence
+location ^~ /user/ {
     if ($csrf_check !~ ^ok-\S.+$) {
       return 403 "failed csrf check";
     }
 
-    set $proxy_service  "presigned-url-fence";
-    set $upstream http://presigned-url-fence-service$des_domain;
+    set $proxy_service "fence";
+    set $upstream http://fence-service$des_domain;
     rewrite ^/user/(.*) /$1 break;
     proxy_pass $upstream;
 }
 
-location /user/metrics {
-    deny all;
-}
-
-# OpenID Connect Discovery Endpoints
-location /.well-known/ {
-    if ($csrf_check !~ ^ok-\S.+$) {
-      return 403 "failed csrf check";
-    }
-
-    set $proxy_service  "fence";
+# OpenID discovery -> fence
+location ^~ /.well-known/ {
+    set $proxy_service "fence";
     set $upstream http://fence-service$des_domain;
     proxy_pass $upstream;
 }
diff --git a/helm/revproxy/gen3.nginx.conf/indexd-service.conf b/helm/revproxy/gen3.nginx.conf/indexd-service.conf
@@ -1,26 +1,26 @@
-location /ga4gh/ {
-    if ($csrf_check !~ ^ok-\S.+$) {
-      return 403 "failed csrf check";
-    }
+#location /ga4gh/ {
+#    if ($csrf_check !~ ^ok-\S.+$) {
+#      return 403 "failed csrf check";
+#    }
+#
+#    set $proxy_service  "indexd";
+#    set $upstream http://indexd-service$des_domain;
+#
+#    proxy_pass $upstream;
+#    proxy_redirect http://$host/ https://$host/;
+#}
 
-    set $proxy_service  "indexd";
-    set $upstream http://indexd-service$des_domain;
-
-    proxy_pass $upstream;
-    proxy_redirect http://$host/ https://$host/;
-}
-
-location /index/ {
-    if ($csrf_check !~ ^ok-\S.+$) {
-      return 403 "failed csrf check";
-    }
-
-    set $proxy_service  "indexd";
-    set $upstream http://indexd-service$des_domain;
-
-    rewrite ^/index/(.*) /$1 break;
-
-    proxy_pass $upstream;
-    proxy_redirect http://$host/ https://$host/index/;
-}
+#location /index/ {
+#    if ($csrf_check !~ ^ok-\S.+$) {
+#      return 403 "failed csrf check";
+#    }
+#
+#    set $proxy_service  "indexd";
+#    set $upstream http://indexd-service$des_domain;
+#
+#    rewrite ^/index/(.*) /$1 break;
+#
+#    proxy_pass $upstream;
+#    proxy_redirect http://$host/ https://$host/index/;
+#}
 
diff --git a/helm/syfon/Chart.yaml b/helm/syfon/Chart.yaml
@@ -0,0 +1,7 @@
+apiVersion: v2
+name: syfon
+description: Helm chart for syfon (GA4GH DRS + Gen3 compatibility)
+type: application
+version: 0.1.0
+appVersion: "0.1.0"
+
diff --git a/helm/syfon/README.md b/helm/syfon/README.md
@@ -0,0 +1,43 @@
+# syfon Helm Chart
+
+This chart deploys `syfon` with:
+
+- Config mounted into the pod at `/etc/drs/config.yaml` (not baked into the image)
+- DB credentials injected via secret env vars (`DRS_DB_*`)
+- Optional PostgreSQL init job that mirrors indexd-style setup:
+  - creates app DB user
+  - creates app database
+  - applies DRS schema tables
+
+## Key Compatibility Notes
+
+- Secret keys mirror indexd credentials naming (`db_host`, `db_username`, `db_password`, `db_database`) with additional `db_port` and `db_sslmode`.
+- In `gen3` mode, `syfon` requires PostgreSQL.
+
+## Install
+
+```bash
+helm upgrade --install syfon ./helm/syfon
+```
+
+## Existing Secrets
+
+To reuse existing DB secrets:
+
+- Set `postgres.app.existingSecret`
+- Set `postgres.admin.existingSecret` (if `postgres.initJob.enabled=true`)
+
+## Health Probes
+
+The chart configures both readiness and liveness probes against `GET /healthz` on the container `http` port.
+
+Tune probe behavior via:
+
+- `probes.liveness.*`
+- `probes.readiness.*`
+
+## PostgreSQL Source of Truth
+
+By default this chart now inherits PostgreSQL host/port/admin credentials from `global.postgres.master.*` (the same pattern used by other Gen3 charts).
+
+Service-specific values under `postgres.app.*` and `postgres.admin.*` still override global values when set.
diff --git a/helm/syfon/templates/_helpers.tpl b/helm/syfon/templates/_helpers.tpl
@@ -0,0 +1,45 @@
+{{- define "syfon.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "syfon.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := include "syfon.name" . -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "syfon.labels" -}}
+app.kubernetes.io/name: {{ include "syfon.name" . }}
+helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{- define "syfon.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "syfon.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{- define "syfon.appDbSecretName" -}}
+{{- if .Values.postgres.app.existingSecret -}}
+{{- .Values.postgres.app.existingSecret -}}
+{{- else -}}
+{{- .Values.postgres.app.secretName -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "syfon.adminDbSecretName" -}}
+{{- if .Values.postgres.admin.existingSecret -}}
+{{- .Values.postgres.admin.existingSecret -}}
+{{- else -}}
+{{- .Values.postgres.admin.secretName -}}
+{{- end -}}
+{{- end -}}
+