From f758aa2fcdf470069b46fc191889838448870739 Mon Sep 17 00:00:00 2001 From: Simon Franken Date: Fri, 20 Feb 2026 11:17:18 +0100 Subject: [PATCH] Add iOS redirect URI and JWT secret to Helm chart Add backend.oidc.iosRedirectUri (default: timetracker://oauth/callback) and backend.jwt.secret to values.yaml and wire them into the backend deployment as OIDC_IOS_REDIRECT_URI and JWT_SECRET env vars. Update NOTES.txt to surface both values post-install. --- timetracker-chart/templates/NOTES.txt | 9 +++++++-- timetracker-chart/templates/backend-deployment.yaml | 4 ++++ timetracker-chart/values.yaml | 10 ++++++++++ 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/timetracker-chart/templates/NOTES.txt b/timetracker-chart/templates/NOTES.txt index 7388a71..b62abc5 100644 --- a/timetracker-chart/templates/NOTES.txt +++ b/timetracker-chart/templates/NOTES.txt @@ -33,8 +33,13 @@ IMPORTANT NOTES: - Set postgresql.url in values.yaml to point to your existing database. - Make sure to change the OIDC configuration in values.yaml - Change the SESSION_SECRET from the default value for production +- Set backend.jwt.secret to a dedicated secret in production (falls back to SESSION_SECRET if empty) - Configure ingress host and TLS settings for your environment OIDC Configuration Required: - issuerUrl: {{ .Values.backend.oidc.issuerUrl | default "NOT SET - REQUIRED" }} - clientId: {{ .Values.backend.oidc.clientId | default "NOT SET - REQUIRED" }} \ No newline at end of file + issuerUrl: {{ .Values.backend.oidc.issuerUrl | default "NOT SET - REQUIRED" }} + clientId: {{ .Values.backend.oidc.clientId | default "NOT SET - REQUIRED" }} + iosRedirectUri: {{ .Values.backend.oidc.iosRedirectUri }} + +JWT (iOS Bearer auth): + jwt.secret: {{ if .Values.backend.jwt.secret }}(set){{ else }}NOT SET - falling back to session.secret{{ end }} \ No newline at end of file diff --git a/timetracker-chart/templates/backend-deployment.yaml b/timetracker-chart/templates/backend-deployment.yaml index 9bf277a..ab86ee3 100644 --- a/timetracker-chart/templates/backend-deployment.yaml +++ b/timetracker-chart/templates/backend-deployment.yaml @@ -56,8 +56,12 @@ spec: value: {{ .Values.backend.oidc.clientId | quote }} - name: OIDC_REDIRECT_URI value: {{ (index .Values.ingress.hosts 0).host | printf "https://%s/api/auth/callback" | quote }} + - name: OIDC_IOS_REDIRECT_URI + value: {{ .Values.backend.oidc.iosRedirectUri | quote }} - name: SESSION_SECRET value: {{ .Values.backend.session.secret | quote }} + - name: JWT_SECRET + value: {{ .Values.backend.jwt.secret | quote }} - name: APP_URL value: {{ (index .Values.ingress.hosts 0).host | printf "https://%s" | quote }} ports: diff --git a/timetracker-chart/values.yaml b/timetracker-chart/values.yaml index 3d710ef..df0c60b 100644 --- a/timetracker-chart/values.yaml +++ b/timetracker-chart/values.yaml @@ -41,11 +41,21 @@ backend: oidc: issuerUrl: "" clientId: "" + # Redirect URI registered in the IDP for the iOS native app. + # Must match the custom URL scheme configured in the iOS app. + iosRedirectUri: "timetracker://oauth/callback" # Session configuration session: secret: "change-this-secret-in-production" + # JWT configuration (for iOS Bearer token auth) + # jwt.secret is used to sign backend-issued JWTs for the iOS app. + # If left empty it falls back to session.secret. + # Set this to a dedicated secret in production. + jwt: + secret: "" + env: nodeEnv: production port: 3001