From c0833d38210e0cd6a9ecf5fd3dbd77fe4829dd25 Mon Sep 17 00:00:00 2001
From: Paperclip <paperclip@noreply.com>
Date: Sun, 3 May 2026 17:33:37 +0000
Subject: [PATCH] fix(GRO-887): wire OIDC + BETTER_AUTH env vars into API
 deployment

Wire BETTER_AUTH_URL, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET, BETTER_AUTH_SECRET
into API deployment. Add conditional OIDC_INTERNAL_BASE env var. Add new values
betterAuthUrl + internalBaseUrl in values.yaml. Add authSecretName helper.

Cherry-picked from e26718b (original GRO-898 fix).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 charts/groombook/templates/_helpers.tpl       |  7 +++++++
 .../groombook/templates/api-deployment.yaml   | 21 +++++++++++++++++++
 charts/groombook/values.yaml                  |  2 ++
 3 files changed, 30 insertions(+)

diff --git a/charts/groombook/templates/_helpers.tpl b/charts/groombook/templates/_helpers.tpl
index 9c97648..93f19ad 100644
--- a/charts/groombook/templates/_helpers.tpl
+++ b/charts/groombook/templates/_helpers.tpl
@@ -119,3 +119,10 @@ uri
 database-url
 {{- end -}}
 {{- end }}
+
+{{/*
+Auth secret name — always use groombook-auth (sealed secret name)
+*/}}
+{{- define "groombook.authSecretName" -}}
+{{- printf "%s" "groombook-auth" }}
+{{- end }}
diff --git a/charts/groombook/templates/api-deployment.yaml b/charts/groombook/templates/api-deployment.yaml
index aaee7b0..6283210 100644
--- a/charts/groombook/templates/api-deployment.yaml
+++ b/charts/groombook/templates/api-deployment.yaml
@@ -50,6 +50,27 @@ spec:
             - name: OIDC_AUDIENCE
               value: {{ .Values.api.env.oidcAudience | quote }}
             {{- end }}
+            {{- if .Values.api.env.internalBaseUrl }}
+            - name: OIDC_INTERNAL_BASE
+              value: {{ .Values.api.env.internalBaseUrl | quote }}
+            {{- end }}
+            - name: BETTER_AUTH_URL
+              value: {{ .Values.api.env.betterAuthUrl | quote }}
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "groombook.authSecretName" . }}
+                  key: OIDC_CLIENT_ID
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "groombook.authSecretName" . }}
+                  key: OIDC_CLIENT_SECRET
+            - name: BETTER_AUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "groombook.authSecretName" . }}
+                  key: BETTER_AUTH_SECRET
             - name: DATABASE_URL
               valueFrom:
                 secretKeyRef:
diff --git a/charts/groombook/values.yaml b/charts/groombook/values.yaml
index 5f888a5..0e85682 100644
--- a/charts/groombook/values.yaml
+++ b/charts/groombook/values.yaml
@@ -18,6 +18,8 @@ api:
     corsOrigin: ""
     oidcIssuer: ""
     oidcAudience: groombook
+    betterAuthUrl: ""
+    internalBaseUrl: ""
     port: "3000"
   service:
     type: ClusterIP
-- 
2.52.0