NVIDIA · RyaliNvidia · Feb 18, 2026 · Feb 5, 2026 · Feb 6, 2026 · Feb 10, 2026
@@ -89,7 +89,7 @@ spec:
             echo "Testing token validity..."
             TOKEN_TEST_RESPONSE=$(curl -s -w "%{http_code}" \
               -H "Authorization: Bearer $SECRET_TOKEN" \
-              $BASE_URL/api/auth/access_token \
+              $BASE_URL/api/auth/jwt/access_token \
               -G --data-urlencode "access_token=$SECRET_TOKEN" \
               -o /tmp/token_test.json)
 

@@ -104,6 +104,8 @@ listeners:
           internal_only_headers:
           - x-osmo-auth-skip
           - x-osmo-user
+          - x-osmo-token-name
+          - x-osmo-workflow-id
           virtual_hosts:
           - name: service
             domains: ["*"]
@@ -124,6 +126,8 @@ listeners:
                    request_handle:headers():remove("x-osmo-auth-skip")
                    request_handle:headers():remove("x-osmo-user")
                    request_handle:headers():remove("x-osmo-roles")
+                   request_handle:headers():remove("x-osmo-token-name")
+                   request_handle:headers():remove("x-osmo-workflow-id")
                    request_handle:headers():remove("x-envoy-internal")
                  end
         - name: add-auth-skip
@@ -439,8 +443,14 @@ listeners:
                         -- Create the roles list
                         local roles_list = table.concat(meta.verified_jwt.roles, ',')
 
-                        -- Add the header
+                        -- Add the headers
                         request_handle:headers():replace('x-osmo-roles', roles_list)
+                        if (meta.verified_jwt.osmo_token_name ~= nil) then
+                          request_handle:headers():replace('x-osmo-token-name', tostring(meta.verified_jwt.osmo_token_name))
+                        end
+                        if (meta.verified_jwt.osmo_workflow_id ~= nil) then
+                          request_handle:headers():replace('x-osmo-workflow-id', tostring(meta.verified_jwt.osmo_workflow_id))
+                        end
                       end
         {{- end }}
         - name: envoy.filters.http.router

@@ -100,6 +100,8 @@ data:
                 internal_only_headers:
                 - x-osmo-auth-skip
                 - x-osmo-user
+                - x-osmo-token-name
+                - x-osmo-workflow-id
 
                 virtual_hosts:
                 - name: service
@@ -150,6 +152,8 @@ data:
                         request_handle:headers():remove("x-osmo-auth-skip")
                         request_handle:headers():remove("x-osmo-user")
                         request_handle:headers():remove("x-osmo-roles")
+                        request_handle:headers():remove("x-osmo-token-name")
+                        request_handle:headers():remove("x-osmo-workflow-id")
                         request_handle:headers():remove("x-envoy-internal")
                       end
               - name: add-auth-skip
@@ -516,8 +520,14 @@ data:
                         -- Create the roles list
                         local roles_list = table.concat(meta.verified_jwt.roles, ',')
 
-                        -- Add the header
+                        -- Add the headers
                         request_handle:headers():replace('x-osmo-roles', roles_list)
+                        if (meta.verified_jwt.osmo_token_name ~= nil) then
+                          request_handle:headers():replace('x-osmo-token-name', tostring(meta.verified_jwt.osmo_token_name))
+                        end
+                        if (meta.verified_jwt.osmo_workflow_id ~= nil) then
+                          request_handle:headers():replace('x-osmo-workflow-id', tostring(meta.verified_jwt.osmo_workflow_id))
+                        end
                       end
 
               - name: envoy.filters.http.ratelimit
@@ -568,6 +578,8 @@ data:
                 internal_only_headers:
                 - x-osmo-auth-skip
                 - x-osmo-user
+                - x-osmo-token-name
+                - x-osmo-workflow-id
 
                 virtual_hosts:
                 - name: service

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -143,6 +143,10 @@ spec:
         - --log_name
         - api_service
         {{- end }}
+        {{- if .Values.services.defaultAdmin.enabled }}
+        - --default_admin_username
+        - {{ .Values.services.defaultAdmin.username | quote }}
+        {{- end }}
         {{- range $arg := .Values.services.service.extraArgs }}
         - {{ $arg | quote }}
         {{- end }}
@@ -165,6 +169,13 @@ spec:
               name: redis-secret
               key: redis-password
         {{- end }}
+        {{- if .Values.services.defaultAdmin.enabled }}
+        - name: OSMO_DEFAULT_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.services.defaultAdmin.passwordSecretName }}
+              key: {{ .Values.services.defaultAdmin.passwordSecretKey }}
+        {{- end }}
         imagePullPolicy: {{ .Values.services.service.imagePullPolicy }}
         securityContext:
           allowPrivilegeEscalation: false

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -159,6 +159,28 @@ services:
     ##
     passwordSecretKey: password
 
+  ## Default admin user configuration
+  ## When configured, the service will create an admin user on startup with the osmo-admin role
+  ## and an access_token set to the specified password
+  ##
+  defaultAdmin:
+    ## Enable default admin user creation
+    ## When enabled, username and password must be configured
+    ##
+    enabled: false
+
+    ## Username for the default admin user
+    ##
+    username: "admin"
+
+    ## Name of the Kubernetes secret containing the default admin password
+    ##
+    passwordSecretName: default-admin-secret
+
+    ## Key name in the secret that contains the default admin password
+    ##
+    passwordSecretKey: password
+
   ## Redis cache service configuration
   ## Set enabled to false if using an external Redis deployment
   ##

@@ -112,8 +112,14 @@ listeners:
                   -- Create the roles list
                   local roles_list = table.concat(meta.verified_jwt.roles, ',')
 
-                  -- Add the header
+                  -- Add the headers
                   request_handle:headers():replace('x-osmo-roles', roles_list)
+                  if (meta.verified_jwt.osmo_token_name ~= nil) then
+                    request_handle:headers():replace('x-osmo-token-name', tostring(meta.verified_jwt.osmo_token_name))
+                  end
+                  if (meta.verified_jwt.osmo_workflow_id ~= nil) then
+                    request_handle:headers():replace('x-osmo-workflow-id', tostring(meta.verified_jwt.osmo_workflow_id))
+                  end
                 end
         {{- end }}
         - name: envoy.filters.http.router
@@ -157,6 +163,8 @@ name: service_routes
 internal_only_headers:
 - x-osmo-auth-skip
 - x-osmo-user
+- x-osmo-token-name
+- x-osmo-workflow-id
 virtual_hosts:
 - name: service
   domains: ["*"]
@@ -208,6 +216,8 @@ Generate simplified Lua filters for UI chart
           -- Strip dangerous headers that should never come from external clients
           request_handle:headers():remove("x-osmo-auth-skip")
           request_handle:headers():remove("x-osmo-user")
+          request_handle:headers():remove("x-osmo-token-name")
+          request_handle:headers():remove("x-osmo-workflow-id")
         end
 - name: add-auth-skip
   typed_config:

@@ -1,5 +1,5 @@
 ..
-  SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+  SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
@@ -582,14 +582,24 @@ Step 8: Install Backend Operator
       $ osmo login https://<your-domain> --method=dev --username=testuser
 
 
-3. Create the account token secret:
+3. Create the service account and token:
 
-   Generate a token for the backend operator with OSMO CLI:
+   Create a service account user and generate a token for the backend operator with OSMO CLI:
 
    .. code-block:: bash
 
-      $ export BACKEND_TOKEN=$(osmo token set backend-token --expires-at <insert-date> --description "Backend Operator Token" --service --roles osmo-backend -t json | jq -r '.token')
+      # Create the service account user
+      $ osmo user create backend-operator --roles osmo-backend
 
+      # Generate a token for the service account with the osmo-backend role
+      $ export BACKEND_TOKEN=$(osmo token set backend-token \
+          --user backend-operator \
+          --expires-at <insert-date> \
+          --description "Backend Operator Token" \
+          --roles osmo-backend \
+          -t json | jq -r '.token')
+
+      # Create the Kubernetes secret
       $ kubectl create secret generic osmo-operator-token --from-literal=token=$BACKEND_TOKEN --namespace osmo-operator