fix: stac-auth-proxy autoscaling.

charts/eoapi/Chart.yaml

@@ -57,6 +57,6 @@ dependencies:
     repository: https://grafana.github.io/helm-charts
     condition: observability.grafana.enabled
   - name: stac-auth-proxy
-    version: 1.0.3
+    version: 1.1.0
     repository: oci://ghcr.io/developmentseed/stac-auth-proxy/charts
     condition: stac-auth-proxy.enabled

charts/eoapi/README.md

@@ -52,9 +52,14 @@ stac-auth-proxy:
   enabled: true
   env:
     OIDC_DISCOVERY_URL: "https://your-auth-server/.well-known/openid-configuration"
+  autoscaling:
+    enabled: true
+    minReplicas: 2
+    maxReplicas: 10
+    targetCPUUtilizationPercentage: 75
 ```
 
-When enabled, the ingress will automatically route STAC API requests through the auth proxy instead of directly to the STAC service.
+When enabled, the ingress will automatically route STAC API requests through the auth proxy instead of directly to the STAC service. Enable `stac-auth-proxy.autoscaling` when the proxy is the bottleneck; scaling STAC alone is not sufficient if traffic goes through the proxy. See [autoscaling documentation](../../docs/autoscaling.md#stac-auth-proxy).
 
 ## Quick Start with Profiles
 

charts/eoapi/profiles/experimental.yaml

@@ -369,7 +369,7 @@ ingress:
 stac-auth-proxy:
   enabled: true
   image:
-    tag: "v1.0.3"
+    tag: "v1.1.0"
   # For testing this will be set dynamically; for production, point to your OIDC server
   env:
     # OIDC_DISCOVERY_URL: "http://eoapi-mock-oidc-server.eoapi.svc.cluster.local:8080/.well-known/openid-configuration"

charts/eoapi/tests/stac-auth-proxy_autoscaling_tests.yaml

@@ -0,0 +1,45 @@
+suite: stac-auth-proxy autoscaling tests
+templates:
+  - charts/stac-auth-proxy/templates/hpa.yaml
+tests:
+  - it: "proxy hpa not created when autoscaling disabled"
+    set:
+      stac-auth-proxy.enabled: true
+      stac-auth-proxy.env.OIDC_DISCOVERY_URL: "https://auth.example.com/.well-known/openid-configuration"
+      stac-auth-proxy.autoscaling.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: "proxy hpa created with cpu autoscaling when enabled"
+    set:
+      stac-auth-proxy.enabled: true
+      stac-auth-proxy.env.OIDC_DISCOVERY_URL: "https://auth.example.com/.well-known/openid-configuration"
+      stac-auth-proxy.autoscaling.enabled: true
+      stac-auth-proxy.autoscaling.minReplicas: 2
+      stac-auth-proxy.autoscaling.maxReplicas: 15
+      stac-auth-proxy.autoscaling.targetCPUUtilizationPercentage: 70
+    asserts:
+      - isKind:
+          of: HorizontalPodAutoscaler
+      - equal:
+          path: metadata.name
+          value: "RELEASE-NAME-stac-auth-proxy"
+      - equal:
+          path: spec.scaleTargetRef.kind
+          value: Deployment
+      - equal:
+          path: spec.scaleTargetRef.name
+          value: "RELEASE-NAME-stac-auth-proxy"
+      - equal:
+          path: spec.minReplicas
+          value: 2
+      - equal:
+          path: spec.maxReplicas
+          value: 15
+      - equal:
+          path: spec.metrics[0].resource.name
+          value: cpu
+      - equal:
+          path: spec.metrics[0].resource.target.averageUtilization
+          value: 70

charts/eoapi/values.schema.json

@@ -691,6 +691,50 @@
         }
       }
     },
+    "stac-auth-proxy": {
+      "type": "object",
+      "description": "STAC Auth Proxy subchart (authentication layer for STAC API)",
+      "properties": {
+        "enabled": {
+          "type": "boolean",
+          "description": "Enable the stac-auth-proxy subchart"
+        },
+        "autoscaling": {
+          "type": "object",
+          "description": "CPU-based HPA (rendered by stac-auth-proxy subchart)",
+          "properties": {
+            "enabled": {
+              "type": "boolean",
+              "description": "Enable Horizontal Pod Autoscaler for the auth proxy"
+            },
+            "minReplicas": {
+              "type": "integer",
+              "minimum": 1,
+              "description": "Minimum number of proxy replicas"
+            },
+            "maxReplicas": {
+              "type": "integer",
+              "minimum": 1,
+              "description": "Maximum number of proxy replicas"
+            },
+            "targetCPUUtilizationPercentage": {
+              "type": "integer",
+              "minimum": 1,
+              "maximum": 100,
+              "description": "Target CPU utilization percentage for autoscaling"
+            },
+            "behavior": {
+              "type": "object",
+              "description": "HPA scaling behavior configuration"
+            }
+          }
+        },
+        "resources": {
+          "type": "object",
+          "description": "Resource requests and limits for the auth proxy"
+        }
+      }
+    },
     "testing": {
       "type": "object",
       "description": "Test infrastructure components - DO NOT USE IN PRODUCTION",

charts/eoapi/values.yaml

@@ -457,16 +457,35 @@ stac:
       DB_MIN_CONN_SIZE: "1"
       DB_MAX_CONN_SIZE: "5" # Quite intensive (queries, transactions, searches)
 
-# STAC Auth Proxy - authentication layer for STAC API
+# STAC Auth Proxy - authentication layer for STAC API (subchart: stac-auth-proxy 1.1.0+)
 stac-auth-proxy:
   enabled: false
   image:
-    tag: "v1.0.3"
+    tag: "v1.1.0"
   ingress:
     enabled: false  # Handled by main eoapi ingress
   service:
     port: 8080
-  resources: {}
+  # Production-oriented defaults; override per cluster. Low CPU limits cause throttling under load.
+  resources:
+    requests:
+      cpu: 500m
+      memory: 256Mi
+    limits:
+      cpu: 2000m
+      memory: 512Mi
+  # CPU-based HPA from the stac-auth-proxy subchart (requires metrics-server).
+  # When enabled, replicaCount is ignored. Request-rate metrics are nginx-ingress-specific on main services only.
+  autoscaling:
+    enabled: false
+    minReplicas: 1
+    maxReplicas: 10
+    targetCPUUtilizationPercentage: 75
+    behavior:
+      scaleDown:
+        stabilizationWindowSeconds: 60
+      scaleUp:
+        stabilizationWindowSeconds: 0
   env:
     # OIDC_DISCOVERY_URL must be configured when enabling auth (required)
     # OIDC_DISCOVERY_INTERNAL_URL: in-cluster URL for startup health checks (subchart defaults to

docs/autoscaling.md

@@ -207,6 +207,35 @@ vector:
       requestRate: 75000m
 ```
 
+## STAC Auth Proxy
+
+When [STAC Auth Proxy](./stac-auth-proxy.md) is enabled, ingress routes STAC traffic through the proxy. Under load, the proxy can become the bottleneck while `stac` CPU utilization stays low—enable proxy autoscaling in addition to (or instead of) relying on STAC HPA alone.
+
+Autoscaling is provided by the **stac-auth-proxy subchart**. Configure it under `stac-auth-proxy.autoscaling` (CPU only; request-rate/`both` types apply to main eoAPI services with nginx ingress metrics).
+
+```yaml
+stac-auth-proxy:
+  enabled: true
+  resources:
+    requests:
+      cpu: 500m
+    limits:
+      cpu: 2000m
+  autoscaling:
+    enabled: true
+    minReplicas: 2
+    maxReplicas: 10
+    targetCPUUtilizationPercentage: 75
+```
+
+When `autoscaling.enabled` is true, `replicaCount` is ignored and the HPA manages replica count. Requires [metrics-server](#prerequisites) (or your cluster's equivalent) for CPU metrics.
+
+The HPA resource name is `{{ .Release.Name }}-stac-auth-proxy` (subchart fullname). Check status with:
+
+```bash
+kubectl get hpa -n <namespace> | grep stac-auth-proxy
+```
+
 ## Configuration Examples
 
 For complete configuration examples, see the [production profile](../charts/eoapi/profiles/production.yaml).

docs/stac-auth-proxy.md

@@ -54,6 +54,21 @@ stac-auth-proxy:
 
 For complete configuration options, see the [stac-auth-proxy configuration documentation](https://developmentseed.org/stac-auth-proxy/user-guide/configuration).
 
+### Autoscaling and resources
+
+The eoapi chart depends on stac-auth-proxy Helm, which includes an optional CPU-based HPA. Under production load, scale the proxy when it sits in front of STAC—STAC autoscaling alone may not help. See [Autoscaling — STAC Auth Proxy](./autoscaling.md#stac-auth-proxy).
+
+```yaml
+stac-auth-proxy:
+  autoscaling:
+    enabled: true
+    minReplicas: 2
+    maxReplicas: 10
+    targetCPUUtilizationPercentage: 75
+```
+
+When autoscaling is enabled, `replicaCount` is ignored.
+
 ### 3. Authentication Policy
 
 Control which endpoints require authentication: