fix(templates): merge env blocks and add missing rate limit vars

- Combine REDIS_PASSWORD and extraEnv into a single env block in
  deployment.yaml to prevent extraEnv from overwriting REDIS_PASSWORD
- Add missing INTROSPECT_RATE_LIMIT and INTROSPECT_RATE_LIMIT_BURST
  to configmap.yaml that were defined in values.yaml but not rendered
- Add extraEnv support to metrics-leader deployment for consistency
- Clarify README example YAML comments to avoid confusion with ci/ files

Author: appleboy

README.md

@@ -134,7 +134,7 @@ helm install authgate . -f values-sqlite.yaml
 For production multi-replica deployments with external databases:
 
 ```yaml
-# values-ha-external.yaml
+# Example: HA with external databases
 replicaCount: 3
 database:
   driver: postgres
@@ -183,7 +183,7 @@ helm install authgate . -f values-ha-external.yaml
 One-click setup with bundled PostgreSQL and Redis:
 
 ```yaml
-# values-ha-subchart.yaml
+# Example: HA with bundled subcharts
 replicaCount: 2
 database:
   driver: postgres

templates/configmap.yaml

@@ -66,6 +66,8 @@ data:
   TOKEN_RATE_LIMIT_BURST: {{ .Values.rateLimit.tokenBurst | quote }}
   DEVICE_VERIFY_RATE_LIMIT: {{ .Values.rateLimit.deviceVerify | quote }}
   DEVICE_VERIFY_RATE_LIMIT_BURST: {{ .Values.rateLimit.deviceVerifyBurst | quote }}
+  INTROSPECT_RATE_LIMIT: {{ .Values.rateLimit.introspect | quote }}
+  INTROSPECT_RATE_LIMIT_BURST: {{ .Values.rateLimit.introspectBurst | quote }}
 
   # Redis
   {{- if include "authgate.redisAvailable" . }}

templates/deployment-metrics-leader.yaml

@@ -67,6 +67,9 @@ spec:
                   name: {{ .Release.Name }}-redis
                   key: redis-password
             {{- end }}
+            {{- with .Values.extraEnv }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
           livenessProbe:
             httpGet:
               path: /health

templates/deployment.yaml

@@ -65,13 +65,18 @@ spec:
                 name: {{ include "authgate.configMapName" . }}
             - secretRef:
                 name: {{ include "authgate.secretName" . }}
-          {{- if and .Values.redis.enabled .Values.redis.auth.enabled }}
+          {{- if or (and .Values.redis.enabled .Values.redis.auth.enabled) .Values.extraEnv }}
           env:
+            {{- if and .Values.redis.enabled .Values.redis.auth.enabled }}
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: {{ .Release.Name }}-redis
                   key: redis-password
+            {{- end }}
+            {{- with .Values.extraEnv }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
           {{- end }}
           livenessProbe:
             httpGet:
@@ -107,10 +112,6 @@ spec:
             {{- with .Values.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
-          {{- with .Values.extraEnv }}
-          env:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
       volumes:
         {{- if eq .Values.database.driver "sqlite" }}
         - name: data