feat(chart): add TLS, rate limit burst and client cache settings

- Add server.tls.certFile/keyFile for optional HTTPS support
- Add per-endpoint rate limit burst sizes for memory store
- Add cache.client settings for OAuth client lookup cache

Author: appleboy

templates/configmap.yaml

@@ -9,6 +9,10 @@ data:
   SERVER_ADDR: {{ .Values.server.addr | quote }}
   BASE_URL: {{ .Values.server.baseUrl | quote }}
   ENVIRONMENT: {{ .Values.server.environment | quote }}
+  {{- if and .Values.server.tls.certFile .Values.server.tls.keyFile }}
+  TLS_CERT_FILE: {{ .Values.server.tls.certFile | quote }}
+  TLS_KEY_FILE: {{ .Values.server.tls.keyFile | quote }}
+  {{- end }}
 
   # Database
   DATABASE_DRIVER: {{ .Values.database.driver | quote }}
@@ -60,9 +64,13 @@ data:
   RATE_LIMIT_STORE: {{ .Values.rateLimit.store | quote }}
   RATE_LIMIT_CLEANUP_INTERVAL: {{ .Values.rateLimit.cleanupInterval | quote }}
   LOGIN_RATE_LIMIT: {{ .Values.rateLimit.login | quote }}
+  LOGIN_RATE_LIMIT_BURST: {{ .Values.rateLimit.loginBurst | quote }}
   DEVICE_CODE_RATE_LIMIT: {{ .Values.rateLimit.deviceCode | quote }}
+  DEVICE_CODE_RATE_LIMIT_BURST: {{ .Values.rateLimit.deviceCodeBurst | quote }}
   TOKEN_RATE_LIMIT: {{ .Values.rateLimit.token | quote }}
+  TOKEN_RATE_LIMIT_BURST: {{ .Values.rateLimit.tokenBurst | quote }}
   DEVICE_VERIFY_RATE_LIMIT: {{ .Values.rateLimit.deviceVerify | quote }}
+  DEVICE_VERIFY_RATE_LIMIT_BURST: {{ .Values.rateLimit.deviceVerifyBurst | quote }}
   INTROSPECT_RATE_LIMIT: {{ .Values.rateLimit.introspect | quote }}
 
   # Redis
@@ -112,6 +120,12 @@ data:
   CLIENT_COUNT_CACHE_CLIENT_TTL: {{ .Values.cache.clientCount.clientTTL | quote }}
   CLIENT_COUNT_CACHE_SIZE_PER_CONN: {{ .Values.cache.clientCount.sizePerConn | quote }}
 
+  # Client Cache (OAuth client lookups by client_id)
+  CLIENT_CACHE_TYPE: {{ .Values.cache.client.type | quote }}
+  CLIENT_CACHE_TTL: {{ .Values.cache.client.ttl | quote }}
+  CLIENT_CACHE_CLIENT_TTL: {{ .Values.cache.client.clientTTL | quote }}
+  CLIENT_CACHE_SIZE_PER_CONN: {{ .Values.cache.client.sizePerConn | quote }}
+
   # OAuth Providers
   OAUTH_AUTO_REGISTER: {{ .Values.oauth.autoRegister | quote }}
   OAUTH_TIMEOUT: {{ .Values.oauth.timeout | quote }}

values.yaml

@@ -24,6 +24,13 @@ server:
   # -- Environment mode: "production" or "development"
   # production: session cookies require HTTPS, stricter security headers
   environment: "production"
+  # -- TLS / HTTPS (optional). When both certFile and keyFile are set,
+  # AuthGate serves HTTPS on server.addr. Mount the PEM files into the pod via
+  # extraVolumes/extraVolumeMounts and point these paths at the mounted location.
+  # Remember to update server.baseUrl to https://... when enabling TLS.
+  tls:
+    certFile: ""
+    keyFile: ""
 
 # ============================================================
 # Database Configuration
@@ -152,6 +159,11 @@ rateLimit:
   token: 20
   deviceVerify: 10
   introspect: 20
+  # -- Burst sizes (requests per minute). Ignored when store=redis.
+  loginBurst: 2
+  deviceCodeBurst: 3
+  tokenBurst: 5
+  deviceVerifyBurst: 3
 
 # ============================================================
 # Audit Logging
@@ -213,6 +225,13 @@ cache:
     ttl: "1h"
     clientTTL: "10m"
     sizePerConn: 32
+  # -- OAuth client lookup cache (queried on every OAuth flow).
+  # Mutations (create/update/delete/approve/reject/secret regen) invalidate immediately.
+  client:
+    type: "memory"
+    ttl: "5m"
+    clientTTL: "30s"
+    sizePerConn: 32
 
 # ============================================================
 # Authentication