fix(templates): sync env vars with config.go definitions

- Add DB_LOG_LEVEL, CLIENT_CREDENTIALS_TOKEN_EXPIRATION, and
  STATIC_CACHE_MAX_AGE env vars missing from the Helm chart
- Remove unused *_RATE_LIMIT_BURST env vars not read by the app

Author: appleboy

templates/configmap.yaml

@@ -21,6 +21,7 @@ data:
   DB_MAX_IDLE_CONNS: {{ .Values.dbPool.maxIdleConns | quote }}
   DB_CONN_MAX_LIFETIME: {{ .Values.dbPool.connMaxLifetime | quote }}
   DB_CONN_MAX_IDLE_TIME: {{ .Values.dbPool.connMaxIdleTime | quote }}
+  DB_LOG_LEVEL: {{ .Values.dbPool.logLevel | quote }}
 
   # JWT (non-sensitive)
   JWT_SIGNING_ALGORITHM: {{ .Values.jwt.signingAlgorithm | quote }}
@@ -59,15 +60,10 @@ data:
   RATE_LIMIT_STORE: {{ .Values.rateLimit.store | quote }}
   RATE_LIMIT_CLEANUP_INTERVAL: {{ .Values.rateLimit.cleanupInterval | quote }}
   LOGIN_RATE_LIMIT: {{ .Values.rateLimit.login | quote }}
-  LOGIN_RATE_LIMIT_BURST: {{ .Values.rateLimit.loginBurst | quote }}
   DEVICE_CODE_RATE_LIMIT: {{ .Values.rateLimit.deviceCode | quote }}
-  DEVICE_CODE_RATE_LIMIT_BURST: {{ .Values.rateLimit.deviceCodeBurst | quote }}
   TOKEN_RATE_LIMIT: {{ .Values.rateLimit.token | quote }}
-  TOKEN_RATE_LIMIT_BURST: {{ .Values.rateLimit.tokenBurst | quote }}
   DEVICE_VERIFY_RATE_LIMIT: {{ .Values.rateLimit.deviceVerify | quote }}
-  DEVICE_VERIFY_RATE_LIMIT_BURST: {{ .Values.rateLimit.deviceVerifyBurst | quote }}
   INTROSPECT_RATE_LIMIT: {{ .Values.rateLimit.introspect | quote }}
-  INTROSPECT_RATE_LIMIT_BURST: {{ .Values.rateLimit.introspectBurst | quote }}
 
   # Redis
   {{- if include "authgate.redisAvailable" . }}
@@ -157,6 +153,9 @@ data:
   ENABLE_TOKEN_ROTATION: {{ .Values.refreshToken.rotation | quote }}
   REFRESH_TOKEN_EXPIRATION: {{ .Values.refreshToken.expiration | quote }}
 
+  # Client Credentials Flow
+  CLIENT_CREDENTIALS_TOKEN_EXPIRATION: {{ .Values.clientCredentials.tokenExpiration | quote }}
+
   # Authorization Code Flow
   AUTH_CODE_EXPIRATION: {{ .Values.authCode.expiration | quote }}
   PKCE_REQUIRED: {{ .Values.authCode.pkceRequired | quote }}
@@ -166,6 +165,9 @@ data:
   ENABLE_DYNAMIC_CLIENT_REGISTRATION: {{ .Values.dynamicClientRegistration.enabled | quote }}
   DYNAMIC_CLIENT_REGISTRATION_RATE_LIMIT: {{ .Values.dynamicClientRegistration.rateLimit | quote }}
 
+  # Static File Caching
+  STATIC_CACHE_MAX_AGE: {{ .Values.staticCache.maxAge | quote }}
+
   # CORS
   CORS_ENABLED: {{ .Values.cors.enabled | quote }}
   {{- if .Values.cors.enabled }}

values.yaml

@@ -48,6 +48,8 @@ dbPool:
   maxIdleConns: 10
   connMaxLifetime: "5m"
   connMaxIdleTime: "10m"
+  # -- GORM log level: "silent", "error", "warn", "info"
+  logLevel: "warn"
 
 # ============================================================
 # Secrets
@@ -146,15 +148,10 @@ rateLimit:
   store: "memory"
   cleanupInterval: "5m"
   login: 5
-  loginBurst: 2
   deviceCode: 10
-  deviceCodeBurst: 3
   token: 20
-  tokenBurst: 5
   deviceVerify: 10
-  deviceVerifyBurst: 3
   introspect: 20
-  introspectBurst: 5
 
 # ============================================================
 # Audit Logging
@@ -281,6 +278,13 @@ refreshToken:
   rotation: false
   expiration: "720h"
 
+# ============================================================
+# Client Credentials Flow (RFC 6749 §4.4)
+# ============================================================
+clientCredentials:
+  # -- Access token lifetime for client_credentials grant
+  tokenExpiration: "1h"
+
 # ============================================================
 # Authorization Code Flow
 # ============================================================
@@ -304,6 +308,13 @@ expiredTokenCleanup:
   enabled: false
   interval: "1h"
 
+# ============================================================
+# Static File Caching
+# ============================================================
+staticCache:
+  # -- Cache-Control max-age for non-hashed static files (0 disables)
+  maxAge: "24h"
+
 # ============================================================
 # CORS
 # ============================================================