fix: align Helm chart with codebase after rebase

- Add SESSION_BACKEND=database to configmap so PostgreSQL is actually
  used for ADK session persistence instead of in-memory default
- Add GMA_CLIENT_ID and GMA_CLIENT_SECRET to secret and handler
  deployment for DCR tenant creation when handler is enabled
- Default skipOrderValidation to false; order validation is not reached
  when the marketplace handler is disabled anyway

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: luis5tb

deploy/openshift/templates/configmap.yaml

@@ -32,6 +32,7 @@ data:
   AGENT_PORT: {{ .Values.agent.port | quote }}
 
   # Session PostgreSQL Configuration
+  SESSION_BACKEND: {{ .Values.postgresql.sessionBackend | quote }}
   SESSION_DB_USER: {{ .Values.postgresql.user | quote }}
   SESSION_DB_NAME: {{ .Values.postgresql.database | quote }}
 

deploy/openshift/templates/handler-deployment.yaml

@@ -66,6 +66,16 @@ spec:
                 secretKeyRef:
                   name: {{ include "lightspeed-agent.fullname" . }}-secrets
                   key: DCR_ENCRYPTION_KEY
+            - name: GMA_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "lightspeed-agent.fullname" . }}-secrets
+                  key: GMA_CLIENT_ID
+            - name: GMA_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "lightspeed-agent.fullname" . }}-secrets
+                  key: GMA_CLIENT_SECRET
           volumeMounts:
             - name: gcp-sa-key
               mountPath: /var/run/secrets/gcp

deploy/openshift/templates/secret.yaml

@@ -16,4 +16,6 @@ stringData:
   DATABASE_URL: {{ .Values.secrets.databaseUrl | quote }}
   DCR_INITIAL_ACCESS_TOKEN: {{ .Values.secrets.dcrInitialAccessToken | quote }}
   DCR_ENCRYPTION_KEY: {{ .Values.secrets.dcrEncryptionKey | quote }}
+  GMA_CLIENT_ID: {{ .Values.secrets.gmaClientId | quote }}
+  GMA_CLIENT_SECRET: {{ .Values.secrets.gmaClientSecret | quote }}
 {{- end }}

deploy/openshift/values.yaml

@@ -68,8 +68,9 @@ auth:
   # Skip JWT validation entirely (development only — do NOT enable in production)
   skipJwtValidation: false
   # Skip marketplace order-id validation while keeping JWT introspection.
-  # Should be true for OpenShift deployments without the Marketplace handler.
-  skipOrderValidation: true
+  # When the marketplace handler is disabled, order validation code is not
+  # executed regardless of this setting.
+  skipOrderValidation: false
 
 # ---------------------------------------------------------------------------
 # Rate limiting (Redis-backed)
@@ -107,6 +108,9 @@ postgresql:
     repository: registry.redhat.io/rhel9/postgresql-16
     tag: latest
     pullPolicy: IfNotPresent
+  # Session storage backend: "database" persists sessions in PostgreSQL,
+  # "memory" uses in-memory sessions (lost on pod restart).
+  sessionBackend: database
   user: sessions
   database: agent_sessions
   storage:
@@ -207,5 +211,8 @@ secrets:
   dcrInitialAccessToken: ""
   # Fernet key for encrypting stored client secrets
   dcrEncryptionKey: ""
+  # GMA SSO API credentials for DCR tenant creation (handler only)
+  gmaClientId: ""
+  gmaClientSecret: ""
   # Base64-encoded GCP service account key JSON (for ADC outside Cloud Run)
   gcpServiceAccountKey: ""