simonfranken/timetracker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add iOS redirect URI and JWT secret to Helm chart

Browse Source 
Add backend.oidc.iosRedirectUri (default: timetracker://oauth/callback) and
backend.jwt.secret to values.yaml and wire them into the backend deployment
as OIDC_IOS_REDIRECT_URI and JWT_SECRET env vars. Update NOTES.txt to surface
both values post-install.
This commit is contained in:
Simon Franken
2026-02-20 11:17:18 +01:00
parent e51dd58a6b
commit f758aa2fcd
3 changed files with 21 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
timetracker-chart/templates/NOTES.txt
View File

@@ -33,8 +33,13 @@ IMPORTANT NOTES:
- Set postgresql.url in values.yaml to point to your existing database. - Set postgresql.url in values.yaml to point to your existing database.
- Make sure to change the OIDC configuration in values.yaml - Make sure to change the OIDC configuration in values.yaml
- Change the SESSION_SECRET from the default value for production - Change the SESSION_SECRET from the default value for production
- Set backend.jwt.secret to a dedicated secret in production (falls back to SESSION_SECRET if empty)
- Configure ingress host and TLS settings for your environment - Configure ingress host and TLS settings for your environment
OIDC Configuration Required: OIDC Configuration Required:
issuerUrl: {{ .Values.backend.oidc.issuerUrl | default "NOT SET - REQUIRED" }} issuerUrl: {{ .Values.backend.oidc.issuerUrl | default "NOT SET - REQUIRED" }}
clientId: {{ .Values.backend.oidc.clientId | default "NOT SET - REQUIRED" }} clientId: {{ .Values.backend.oidc.clientId | default "NOT SET - REQUIRED" }}
iosRedirectUri: {{ .Values.backend.oidc.iosRedirectUri }}
JWT (iOS Bearer auth):
jwt.secret: {{ if .Values.backend.jwt.secret }}(set){{ else }}NOT SET - falling back to session.secret{{ end }}

4
timetracker-chart/templates/backend-deployment.yaml
View File

@@ -56,8 +56,12 @@ spec:
value: {{ .Values.backend.oidc.clientId | quote }} value: {{ .Values.backend.oidc.clientId | quote }}
- name: OIDC_REDIRECT_URI - name: OIDC_REDIRECT_URI
value: {{ (index .Values.ingress.hosts 0).host | printf "https://%s/api/auth/callback" | quote }} value: {{ (index .Values.ingress.hosts 0).host | printf "https://%s/api/auth/callback" | quote }}
- name: OIDC_IOS_REDIRECT_URI
value: {{ .Values.backend.oidc.iosRedirectUri | quote }}
- name: SESSION_SECRET - name: SESSION_SECRET
value: {{ .Values.backend.session.secret | quote }} value: {{ .Values.backend.session.secret | quote }}
- name: JWT_SECRET
value: {{ .Values.backend.jwt.secret | quote }}
- name: APP_URL - name: APP_URL
value: {{ (index .Values.ingress.hosts 0).host | printf "https://%s" | quote }} value: {{ (index .Values.ingress.hosts 0).host | printf "https://%s" | quote }}
ports: ports:

10
timetracker-chart/values.yaml
View File

@@ -41,11 +41,21 @@ backend:
oidc: oidc:
issuerUrl: "" issuerUrl: ""
clientId: "" clientId: ""
# Redirect URI registered in the IDP for the iOS native app.
# Must match the custom URL scheme configured in the iOS app.
iosRedirectUri: "timetracker://oauth/callback"
# Session configuration # Session configuration
session: session:
secret: "change-this-secret-in-production" secret: "change-this-secret-in-production"
# JWT configuration (for iOS Bearer token auth)
# jwt.secret is used to sign backend-issued JWTs for the iOS app.
# If left empty it falls back to session.secret.
# Set this to a dedicated secret in production.
jwt:
secret: ""
env: env:
nodeEnv: production nodeEnv: production
port: 3001 port: 3001