From e26718be4ea866a924168bb9ed440ad78f212bbd Mon Sep 17 00:00:00 2001 From: Hugh Hackman Date: Wed, 29 Apr 2026 23:43:12 +0000 Subject: [PATCH] fix(GRO-898): wire BETTER_AUTH_URL and OIDC_* secret refs into API deployment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The base API deployment chart was missing the auth env var wiring needed for Better Auth + OIDC Authentik SSO: - BETTER_AUTH_URL: explicit base URL (was hardcoded in kustomize patch only) - OIDC_CLIENT_ID / OIDC_CLIENT_SECRET: secret refs (were missing entirely) - BETTER_AUTH_SECRET: secret ref (was missing entirely) - OIDC_INTERNAL_BASE: conditional env var (was missing from base chart) The groombook-auth sealed secret already holds all three encrypted values (BETTER_AUTH_SECRET, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET). The chart just wasn't referencing them for the base deployment. Also rename oidcIssuer → oidcIssuer in values for consistency, and add new values betterAuthUrl + internalBaseUrl to cover all required vars. Co-Authored-By: Paperclip --- charts/groombook/templates/_helpers.tpl | 7 +++++++ .../groombook/templates/api-deployment.yaml | 21 +++++++++++++++++++ charts/groombook/values.yaml | 2 ++ 3 files changed, 30 insertions(+) diff --git a/charts/groombook/templates/_helpers.tpl b/charts/groombook/templates/_helpers.tpl index 9c97648..93f19ad 100644 --- a/charts/groombook/templates/_helpers.tpl +++ b/charts/groombook/templates/_helpers.tpl @@ -119,3 +119,10 @@ uri database-url {{- end -}} {{- end }} + +{{/* +Auth secret name — always use groombook-auth (sealed secret name) +*/}} +{{- define "groombook.authSecretName" -}} +{{- printf "%s" "groombook-auth" }} +{{- end }} diff --git a/charts/groombook/templates/api-deployment.yaml b/charts/groombook/templates/api-deployment.yaml index aaee7b0..6283210 100644 --- a/charts/groombook/templates/api-deployment.yaml +++ b/charts/groombook/templates/api-deployment.yaml @@ -50,6 +50,27 @@ spec: - name: OIDC_AUDIENCE value: {{ .Values.api.env.oidcAudience | quote }} {{- end }} + {{- if .Values.api.env.internalBaseUrl }} + - name: OIDC_INTERNAL_BASE + value: {{ .Values.api.env.internalBaseUrl | quote }} + {{- end }} + - name: BETTER_AUTH_URL + value: {{ .Values.api.env.betterAuthUrl | quote }} + - name: OIDC_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ include "groombook.authSecretName" . }} + key: OIDC_CLIENT_ID + - name: OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ include "groombook.authSecretName" . }} + key: OIDC_CLIENT_SECRET + - name: BETTER_AUTH_SECRET + valueFrom: + secretKeyRef: + name: {{ include "groombook.authSecretName" . }} + key: BETTER_AUTH_SECRET - name: DATABASE_URL valueFrom: secretKeyRef: diff --git a/charts/groombook/values.yaml b/charts/groombook/values.yaml index 5f888a5..0e85682 100644 --- a/charts/groombook/values.yaml +++ b/charts/groombook/values.yaml @@ -18,6 +18,8 @@ api: corsOrigin: "" oidcIssuer: "" oidcAudience: groombook + betterAuthUrl: "" + internalBaseUrl: "" port: "3000" service: type: ClusterIP