fix(GRO-898): wire BETTER_AUTH_URL and OIDC_* secret refs into API deployment

The base API deployment chart was missing the auth env var wiring needed for Better Auth + OIDC Authentik SSO: - BETTER_AUTH_URL: explicit base URL (was hardcoded in kustomize patch only) - OIDC_CLIENT_ID / OIDC_CLIENT_SECRET: secret refs (were missing entirely) - BETTER_AUTH_SECRET: secret ref (was missing entirely) - OIDC_INTERNAL_BASE: conditional env var (was missing from base chart) The groombook-auth sealed secret already holds all three encrypted values (BETTER_AUTH_SECRET, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET). The chart just wasn't referencing them for the base deployment. Also rename oidcIssuer → oidcIssuer in values for consistency, and add new values betterAuthUrl + internalBaseUrl to cover all required vars. Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-29 23:43:12 +00:00
parent cd25d98384
commit e26718be4e
3 changed files with 30 additions and 0 deletions
@@ -119,3 +119,10 @@ uri
 database-url
 {{- end -}}
 {{- end }}
 {{/*
 Auth secret name — always use groombook-auth (sealed secret name)
 */}}
 {{- define "groombook.authSecretName" -}}
 {{- printf "%s" "groombook-auth" }}
 {{- end }}
@@ -50,6 +50,27 @@ spec:
            - name: OIDC_AUDIENCE
              value: {{ .Values.api.env.oidcAudience | quote }}
            {{- end }}
            {{- if .Values.api.env.internalBaseUrl }}
            - name: OIDC_INTERNAL_BASE
              value: {{ .Values.api.env.internalBaseUrl | quote }}
            {{- end }}
            - name: BETTER_AUTH_URL
              value: {{ .Values.api.env.betterAuthUrl | quote }}
            - name: OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: {{ include "groombook.authSecretName" . }}
                  key: OIDC_CLIENT_ID
            - name: OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: {{ include "groombook.authSecretName" . }}
                  key: OIDC_CLIENT_SECRET
            - name: BETTER_AUTH_SECRET
              valueFrom:
                secretKeyRef:
                  name: {{ include "groombook.authSecretName" . }}
                  key: BETTER_AUTH_SECRET
            - name: DATABASE_URL
              valueFrom:
                secretKeyRef:
@@ -18,6 +18,8 @@ api:
    corsOrigin: ""
    oidcIssuer: ""
    oidcAudience: groombook
    betterAuthUrl: ""
    internalBaseUrl: ""
    port: "3000"
  service:
    type: ClusterIP