From dfa3776c1f0ed32667ac256d415dcbdc72fe195e Mon Sep 17 00:00:00 2001
From: David Hadley <davehadley@users.noreply.github.com>
Date: Fri, 6 Feb 2026 09:19:26 +0000
Subject: [PATCH 1/2] chore(charts): support authn.diamond.ac.uk and
 identity-dev on pollux

---
 charts/workflows-cluster/staging-values.yaml | 23 ++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/charts/workflows-cluster/staging-values.yaml b/charts/workflows-cluster/staging-values.yaml
index 8a02a2d35..c48fa0463 100644
--- a/charts/workflows-cluster/staging-values.yaml
+++ b/charts/workflows-cluster/staging-values.yaml
@@ -102,3 +102,26 @@ authenticationConfiguration:
         message: 'username cannot use reserved system: prefix'
       - expression: "user.groups.all(group, !group.startsWith('system:'))"
         message: 'groups cannot use reserved system: prefix'
+    - issuer:
+        url: https://authn.diamond.ac.uk/realms/master
+        audiences:
+          - workflows-cluster-staging
+          - graph
+        audienceMatchPolicy: MatchAny
+      claimMappings:
+        username:
+          claim: fedid
+          prefix: "oidc:"
+        groups:
+          claim: groups
+          prefix: "oidc:"
+        uid:
+          claim: fedid
+        extra:
+        - key: 'workflows.diamond.ac.uk/posixuid'
+          valueExpression: 'string(claims.posix_uid)'
+      userValidationRules:
+      - expression: "!user.username.startsWith('system:')"
+        message: 'username cannot use reserved system: prefix'
+      - expression: "user.groups.all(group, !group.startsWith('system:'))"
+        message: 'groups cannot use reserved system: prefix'

From 0b780ec1f0aa0ecd7aa81629433752fe074cfe5e Mon Sep 17 00:00:00 2001
From: David Hadley <davehadley@users.noreply.github.com>
Date: Fri, 6 Feb 2026 09:25:58 +0000
Subject: [PATCH 2/2] chore(charts): support authn.diamond.ac.uk and identity
 on argus

---
 charts/workflows-cluster/Chart.yaml  |  2 +-
 charts/workflows-cluster/values.yaml | 23 +++++++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/charts/workflows-cluster/Chart.yaml b/charts/workflows-cluster/Chart.yaml
index 108aad6da..a234fac1d 100644
--- a/charts/workflows-cluster/Chart.yaml
+++ b/charts/workflows-cluster/Chart.yaml
@@ -3,7 +3,7 @@ name: workflows-cluster
 description: A virtual cluster for Data Analysis workflows
 type: application
 
-version: 0.9.26
+version: 0.9.27
 dependencies:
   - name: common
     version: 2.23.0
diff --git a/charts/workflows-cluster/values.yaml b/charts/workflows-cluster/values.yaml
index 0895e42d5..67f43c791 100644
--- a/charts/workflows-cluster/values.yaml
+++ b/charts/workflows-cluster/values.yaml
@@ -140,6 +140,29 @@ ingress:
 
 authenticationConfiguration:
   jwt:
+    - issuer:
+        url: https://identity.diamond.ac.uk/realms/dls
+        audiences:
+          - workflows-cluster
+          - graph
+        audienceMatchPolicy: MatchAny
+      claimMappings:
+        username:
+          claim: fedid
+          prefix: "oidc:"
+        groups:
+          claim: groups
+          prefix: "oidc:"
+        uid:
+          claim: fedid
+        extra:
+        - key: 'workflows.diamond.ac.uk/posixuid'
+          valueExpression: 'string(claims.posix_uid)'
+      userValidationRules:
+      - expression: "!user.username.startsWith('system:')"
+        message: 'username cannot use reserved system: prefix'
+      - expression: "user.groups.all(group, !group.startsWith('system:'))"
+        message: 'groups cannot use reserved system: prefix'
     - issuer:
         url: https://authn.diamond.ac.uk/realms/master
         audiences: