fix: existing-secret support; breaking change: license.key is not lisenceKey (#301)

Author: laszlocph

self-host/charts/capacitor-next/README.md

@@ -22,7 +22,7 @@ helm upgrade -i capacitor-next oci://ghcr.io/gimlet-io/charts/capacitor-next \
   --version 2025-11.1 \
   --namespace flux-system \
   --create-namespace \
-  --set license.key="your-license-key" \
+  --set licenseKey="your-license-key" \
   --set session.hashKey="base64:$(openssl rand -base64 32)" \
   --set session.blockKey="base64:$(openssl rand -base64 32)"
 ```
@@ -34,7 +34,7 @@ helm upgrade -i capacitor-next ./capacitor-next \
   --version 2025-11.1 \
   --namespace flux-system \
   --create-namespace \
-  --set license.key="your-license-key" \
+  --set licenseKey="your-license-key" \
   --set session.hashKey="base64:$(openssl rand -base64 32)" \
   --set session.blockKey="base64:$(openssl rand -base64 32)"
 ```
@@ -46,12 +46,14 @@ helm upgrade -i capacitor-next ./capacitor-next \
 For local development or testing:
 
 ```yaml
-license:
-  key: "contact laszlo@gimlet.io"
+licenseKey: "contact laszlo@gimlet.io"
 
 auth:
   method: noauth
 
+rbac:
+  createBuiltinEditorRole: true
+
 authorization:
   impersonateSaRules: "noauth=flux-system:capacitor-next-builtin-editor"
 
@@ -71,8 +73,7 @@ clusters:
 ### OIDC Authentication
 
 ```yaml
-license:
-  key: "your-license-key"
+licenseKey: "contact laszlo@gimlet.io"
 
 auth:
   method: oidc
@@ -83,7 +84,10 @@ auth:
     redirectUrl: "https://capacitor.example.com/auth/callback"
     authorizedEmails: "*@yourcompany.com"
 
-authorization:
+rbac:
+  createBuiltinEditorRole: true
+
+authorization: # if you don't have RBAC role defined and need a catch-all
   impersonateSaRules: "*@yourcompany.com=flux-system:capacitor-next-builtin-editor"
 
 session:
@@ -107,15 +111,17 @@ ingress:
 ### Static User Authentication
 
 ```yaml
-license:
-  key: "your-license-key"
+licenseKey: "contact laszlo@gimlet.io"
 
 auth:
   method: static
   static:
     # Generate with: htpasswd -bnBC 12 x 'mypassword' | cut -d: -f2
     users: "admin@example.com:$2y$12$..."
 
+rbac:
+  createBuiltinEditorRole: true
+
 authorization:
   impersonateSaRules: "admin@example.com=flux-system:capacitor-next-builtin-editor"
 
@@ -154,7 +160,7 @@ You can use an existing Kubernetes secret in addition to the built-in secret cre
 - Overriding specific environment variables from the built-in secret
 - Adding additional environment variables not managed by the chart
 
-When `existingSecret.name` is specified, both secrets are loaded via `envFrom`. The existing secret is loaded first, allowing it to override values from the built-in secret if they share the same keys.
+When `existingSecret.name` is specified, both secrets are loaded via `envFrom`. The existing secret is loaded last, allowing it to override values from the built-in secret if they share the same keys.
 
 **Example: Using External Secrets Operator**
 
@@ -165,8 +171,7 @@ existingSecret:
   name: capacitor-secrets-from-external-secrets-operator
 
 # All other configuration remains the same
-license:
-  key: "your-license-key"
+licenseKey: "your-license-key"
 auth:
   method: oidc
   # ... rest of config
@@ -201,10 +206,10 @@ See [values.yaml](./values.yaml) for all available configuration options.
 | `image.repository` | Container image repository | `ghcr.io/gimlet-io/capacitor-next` |
 | `image.tag` | Container image tag | `v2025-10.1` |
 | `replicaCount` | Number of replicas | `1` |
-| `license.key` | License key (required) | `""` |
+| `licenseKey` | License key | `""` |
 | `auth.method` | Authentication method: `oidc`, `noauth`, `static` | `noauth` |
-| `session.hashKey` | Session hash key (required) | `""` |
-| `session.blockKey` | Session block key (required) | `""` |
+| `session.hashKey` | Session hash key | `""` |
+| `session.blockKey` | Session block key | `""` |
 | `existingSecret.name` | Name of existing secret to use in addition to built-in secret | `""` |
 | `ingress.enabled` | Enable ingress | `false` |
 | `rbac.create` | Create RBAC resources | `true` |

self-host/charts/capacitor-next/templates/NOTES.txt

@@ -37,29 +37,4 @@ Get the application URL by running these commands:
   kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
 {{- end }}
 
-{{- if not .Values.license.key }}
-
-⚠️  WARNING: No license key has been configured!
-Please set .Values.license.key or contact laszlo@gimlet.io to obtain a license.
-{{- end }}
-
-{{- if not .Values.session.hashKey }}
-
-⚠️  WARNING: No session hash key has been configured!
-Please generate one with: openssl rand -base64 32
-And set both .Values.session.hashKey and .Values.session.blockKey
-{{- end }}
-
-Authentication Method: {{ .Values.auth.method }}
-
-{{- if eq .Values.auth.method "noauth" }}
-🔓 Running in no-auth mode. This is suitable for local development only.
-{{- else if eq .Values.auth.method "oidc" }}
-🔐 OIDC authentication is enabled.
-   Issuer: {{ .Values.auth.oidc.issuer }}
-{{- else if eq .Values.auth.method "static" }}
-🔑 Static user authentication is enabled.
-{{- end }}
-
 For more information, visit: https://github.com/gimlet-io/capacitor
-

self-host/charts/capacitor-next/templates/deployment.yaml

@@ -48,12 +48,12 @@ spec:
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           envFrom:
+            - secretRef:
+                name: {{ include "capacitor-server.fullname" . }}
             {{- if .Values.existingSecret.name }}
             - secretRef:
                 name: {{ .Values.existingSecret.name }}
             {{- end }}
-            - secretRef:
-                name: {{ include "capacitor-server.fullname" . }}
           volumeMounts:
             - name: registry
               mountPath: /app/backend/registry.yaml

self-host/charts/capacitor-next/templates/secret.yaml

@@ -7,13 +7,26 @@ metadata:
     {{- include "capacitor-server.labels" . | nindent 4 }}
 type: Opaque
 stringData:
-  LICENSE_KEY: {{ .Values.license.key | quote }}
+  {{- if .Values.licenseKey }}
+  LICENSE_KEY: {{ .Values.licenseKey | quote }}
+  {{- end }}
+  {{- if .Values.auth }}
+  {{- if .Values.auth.method }}
   AUTH: {{ .Values.auth.method | quote }}
+  {{- end }}
   {{- if eq .Values.auth.method "oidc" }}
+  {{- if .Values.auth.oidc.issuer }}
   OIDC_ISSUER: {{ .Values.auth.oidc.issuer | quote }}
+  {{- end }}
+  {{- if .Values.auth.oidc.clientId }}
   OIDC_CLIENT_ID: {{ .Values.auth.oidc.clientId | quote }}
+  {{- end }}
+  {{- if .Values.auth.oidc.clientSecret }}
   OIDC_CLIENT_SECRET: {{ .Values.auth.oidc.clientSecret | quote }}
+  {{- end }}
+  {{- if .Values.auth.oidc.redirectUrl }}
   OIDC_REDIRECT_URL: {{ .Values.auth.oidc.redirectUrl | quote }}
+  {{- end }}
   {{- if .Values.auth.oidc.insecureSkipTlsVerify }}
   OIDC_INSECURE_SKIP_TLS_VERIFY: "true"
   {{- end }}
@@ -30,20 +43,29 @@ stringData:
   ENTRA_ID_FEDEREATED_TOKEN_AUTH: "true"
   {{- end }}
   {{- else if eq .Values.auth.method "static" }}
+  {{- if .Values.auth.static }}
+  {{- if .Values.auth.static.users }}
   USERS: {{ .Values.auth.static.users | quote }}
   {{- end }}
-  {{- if .Values.auth.oidc.debug }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.auth.debug }}
   OIDC_DEBUG: "true"
   {{- end }}
+  {{- end }}
+  {{- if .Values.authorization }}
   {{- if .Values.authorization.impersonateSaRules }}
   IMPERSONATE_SA_RULES: {{ .Values.authorization.impersonateSaRules | quote }}
   {{- end }}
+  {{- end }}
+  {{- if .Values.session }}
   {{- if .Values.session.hashKey }}
   SESSION_HASH_KEY: {{ .Values.session.hashKey | quote }}
   {{- end }}
   {{- if .Values.session.blockKey }}
   SESSION_BLOCK_KEY: {{ .Values.session.blockKey | quote }}
   {{- end }}
+  {{- end }}
   registry.yaml: |
     clusters:
     {{- range .Values.clusters }}
@@ -65,4 +87,3 @@ stringData:
         {{- end }}
         {{- end }}
     {{- end }}
-

self-host/charts/capacitor-next/values.yaml

@@ -52,52 +52,47 @@ azureWorkloadIdentity:
 rbac:
   create: true
   createImpersonatorRole: true
-  createBuiltinEditorRole: true
-
-# License configuration
-license:
-  key: ""  # Required: Contact laszlo@gimlet.io for a license key
 
 # Authentication configuration
-auth:
+# auth:
   # Authentication method: oidc, noauth, or static
-  method: noauth
+  # method: noauth
+  # debug: false
 
   # OIDC configuration (used when auth.method=oidc)
-  oidc:
-    issuer: ""
-    clientId: ""
-    clientSecret: ""
-    redirectUrl: ""
-    insecureSkipTlsVerify: false
-    scopes: "openid,profile,email"
-    groupsClaim: "groups"
-    authorizedEmails: ""
-    # Azure Entra ID specific
-    entraIdFederatedTokenAuth: false
-    # Debug flag: when set to true, logs impersonation headers for namespace listing (useful for OIDC debugging)
-    debug: false
+  # oidc:
+  #   issuer: ""
+  #   clientId: ""
+  #   clientSecret: ""
+  #   redirectUrl: ""
+  #   insecureSkipTlsVerify: false
+  #   scopes: "openid,profile,email"
+  #   groupsClaim: "groups"
+  #   authorizedEmails: ""
+  #   # Azure Entra ID specific
+  #   entraIdFederatedTokenAuth: false
+  #   # Debug flag: when set to true, logs impersonation headers for namespace listing (useful for OIDC debugging)
 
   # Static user configuration (used when auth.method=static)
-  static:
+  # static:
     # Format: "email:bcrypt_password[,email2:bcrypt_password]"
     # Generate password with: htpasswd -bnBC 12 x 'mypassword' | cut -d: -f2
-    users: ""
+    # users: ""
 
 # Authorization configuration
-authorization:
-  # Impersonation rules to map users to service accounts
-  # Format: "user=namespace:serviceaccount[,user2=namespace:serviceaccount]"
-  # Example: "noauth=flux-system:capacitor-next-builtin-editor"
-  # Wildcards supported: "*@company.com=flux-system:capacitor-next-builtin-editor"
-  impersonateSaRules: "noauth=flux-system:capacitor-next-builtin-editor"
+# authorization:
+#   # Impersonation rules to map users to service accounts
+#   # Format: "user=namespace:serviceaccount[,user2=namespace:serviceaccount]"
+#   # Example: "noauth=flux-system:capacitor-next-builtin-editor"
+#   # Wildcards supported: "*@company.com=flux-system:capacitor-next-builtin-editor"
+#   impersonateSaRules: "noauth=flux-system:capacitor-next-builtin-editor"
 
 # Session configuration
-session:
-  # Base64 encoded session keys
-  # Generate with: openssl rand -base64 32
-  hashKey: ""   # Required
-  blockKey: ""  # Required
+# session:
+#   # Base64 encoded session keys
+#   # Generate with: openssl rand -base64 32
+#   hashKey: ""   # Required
+#   blockKey: ""  # Required
 
 # Cluster registry configuration
 clusters: