fix(GRO-898): wire BETTER_AUTH_URL and OIDC_* secret refs into API deployment

The base API deployment chart was missing the auth env var wiring needed
for Better Auth + OIDC Authentik SSO:

- BETTER_AUTH_URL: explicit base URL (was hardcoded in kustomize patch only)
- OIDC_CLIENT_ID / OIDC_CLIENT_SECRET: secret refs (were missing entirely)
- BETTER_AUTH_SECRET: secret ref (was missing entirely)
- OIDC_INTERNAL_BASE: conditional env var (was missing from base chart)

The groombook-auth sealed secret already holds all three encrypted values
(BETTER_AUTH_SECRET, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET). The chart just
wasn't referencing them for the base deployment.

Also rename oidcIssuer → oidcIssuer in values for consistency, and add
new values betterAuthUrl + internalBaseUrl to cover all required vars.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

charts/groombook/templates/_helpers.tpl

@@ -119,3 +119,10 @@ uri
 database-url
 {{- end -}}
 {{- end }}
+
+{{/*
+Auth secret name — always use groombook-auth (sealed secret name)
+*/}}
+{{- define "groombook.authSecretName" -}}
+{{- printf "%s" "groombook-auth" }}
+{{- end }}

charts/groombook/templates/api-deployment.yaml

@@ -50,6 +50,27 @@ spec:
             - name: OIDC_AUDIENCE
               value: {{ .Values.api.env.oidcAudience | quote }}
             {{- end }}
+            {{- if .Values.api.env.internalBaseUrl }}
+            - name: OIDC_INTERNAL_BASE
+              value: {{ .Values.api.env.internalBaseUrl | quote }}
+            {{- end }}
+            - name: BETTER_AUTH_URL
+              value: {{ .Values.api.env.betterAuthUrl | quote }}
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "groombook.authSecretName" . }}
+                  key: OIDC_CLIENT_ID
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "groombook.authSecretName" . }}
+                  key: OIDC_CLIENT_SECRET
+            - name: BETTER_AUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "groombook.authSecretName" . }}
+                  key: BETTER_AUTH_SECRET
             - name: DATABASE_URL
               valueFrom:
                 secretKeyRef:

charts/groombook/values.yaml

@@ -18,6 +18,8 @@ api:
     corsOrigin: ""
     oidcIssuer: ""
     oidcAudience: groombook
+    betterAuthUrl: ""
+    internalBaseUrl: ""
     port: "3000"
   service:
     type: ClusterIP