api/redis: scope upgrade notices to upgrades, document existingSecret auth

TheophileDiot · TheophileDiot · commit 56973b59a976 · 2026-05-22T10:52:45.000+02:00
diff --git a/charts/bunkerweb/templates/NOTES.txt b/charts/bunkerweb/templates/NOTES.txt
@@ -1,9 +1,9 @@
 BunkerWeb has been successfully deployed!
 
-{{- if ne (include "bunkerweb.apiEnabled" .) "true" }}
+{{- if and .Release.IsUpgrade (ne (include "bunkerweb.apiEnabled" .) "true") }}
 
 ================================================================================
-                       NOTICE (chart 1.0.19)
+                       UPGRADE NOTICE (chart 1.0.19)
 ================================================================================
 
 The external API is now DISABLED by default (was enabled in <= 1.0.18, where
@@ -12,7 +12,7 @@ default-on API, set api.enabled=true AND configure authentication
 (settings.api.useBearerToken / useUserPass / apiAclBootstrapFile).
 {{- end }}
 
-{{- if and .Values.redis.enabled .Values.redis.useConfigFile }}
+{{- if and .Release.IsUpgrade .Values.redis.enabled .Values.redis.useConfigFile }}
 
 ================================================================================
                        UPGRADE NOTICE (chart 1.0.17 / app 1.6.10)
diff --git a/charts/bunkerweb/templates/api-deployment.yaml b/charts/bunkerweb/templates/api-deployment.yaml
@@ -125,7 +125,7 @@ spec:
           - name: api-acl-bootstrap
             mountPath: /var/lib/bunkerweb/api_acl_bootstrap.json
           {{- end }}
-      {{- if .Values.settings.api.apiAclBootstrapFile }}        
+      {{- if .Values.settings.api.apiAclBootstrapFile }}
       volumes:
       - name: api-acl-bootstrap
         configMap:
diff --git a/charts/bunkerweb/values.yaml b/charts/bunkerweb/values.yaml
@@ -203,13 +203,19 @@ settings:
     # Choose at least one method of authentication
     # API Bearer Token
     useBearerToken:
-      # If enable, it will use settings.existingSecret
+      # If true, the token is read from settings.existingSecret.
+      # The auth guard only checks that existingSecret is set, NOT that it
+      # contains the "api-token" key — that key MUST exist in the secret or
+      # the API will crash-loop at runtime (render cannot inspect secret data).
       fromExistingSecret: false
       # If not using existingSecret, set the token here
       token: ""
     # Username and Password
     useUserPass:
-      # If enable, it will use settings.existingSecret
+      # If true, credentials are read from settings.existingSecret.
+      # The guard only checks that existingSecret is set, NOT that it contains
+      # the "api-username" and "api-password" keys — both MUST exist in the
+      # secret or the API will crash-loop at runtime.
       fromExistingSecret: false
       # If not using existingSecret, set the credentials here
       apiUsername: ""
