Merge pull request #47 from olamilekan000/make-auth-file-configurable

make auth file configurable with secret

Author: olamilekan000

.github/workflows/lint-test.yml

@@ -26,6 +26,9 @@ jobs:
       - name: Add Bitnami Charts Repo
         run: helm repo add bitnami https://charts.bitnami.com/bitnami
 
+      - name: Build chart dependencies
+        run: helm dependency build
+
       - name: Run chart-testing (list-changed)
         id: list-changed
         run: |
@@ -38,8 +41,16 @@ jobs:
         run: ct lint --config ct.yaml --all
 
       - name: Create kind cluster
-        uses: helm/kind-action@v1.2.0
+        uses: helm/kind-action@v1.12.0
         if: steps.list-changed.outputs.changed == 'true'
 
-      - name: Run chart-testing (install)
-        run: ct install --config ct.yaml
+      # - name: Run chart-testing (install subcharts)
+      #   run: ct install --config ct.yaml
+
+      - name: Test main convoy chart installation
+        if: steps.list-changed.outputs.changed == 'true'
+        run: |
+          echo "Testing main convoy chart with root values..."
+          helm install convoy-test . --values values.yaml --timeout 300s --wait --wait-for-jobs --debug
+          helm test convoy-test
+          helm uninstall convoy-test

.github/workflows/release.yml

@@ -41,7 +41,7 @@ jobs:
 
       - name: Package and upload helm chart
         env:
-          CR_TOKEN: ${{ secrets.PAT }}
+          CR_TOKEN: ${{ secrets.TEMP_PAT }}
           CR_VERSION: "1.8.1"
         run: |
           curl -sSLo cr.tar.gz "https://github.com/helm/chart-releaser/releases/download/v${CR_VERSION}/chart-releaser_${CR_VERSION}_linux_amd64.tar.gz"

Chart.lock

@@ -6,4 +6,4 @@ dependencies:
   repository: https://charts.bitnami.com/bitnami
   version: 17.11.3
 digest: sha256:2c6ff47eb9a3976dbdb1a5b762cdc4343ef1846f63a8f00a612c9da0336602b5
-generated: "2023-06-05T14:49:57.883606542+01:00"
+generated: "2025-10-07T05:58:55.875838+01:00"

Chart.yaml

@@ -21,4 +21,3 @@ dependencies:
     version: 17.11.3
     repository: https://charts.bitnami.com/bitnami
     condition: redis.enabled
-

charts/agent/templates/deployment.yaml

@@ -99,6 +99,16 @@ spec:
             - name: CONVOY_DISPATCHER_CACERT_PATH
               value: "/etc/convoy/ca.crt"
             {{- end }}
+            {{- if and .Values.env.auth.file.secret (ne .Values.env.auth.file.secret "") }}
+            - name: CONVOY_BASIC_AUTH_CONFIG
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.env.auth.file.secret }}"
+                  key: basic_auth_config
+            {{- else if .Values.env.auth.file.basic }}
+            - name: CONVOY_BASIC_AUTH_CONFIG
+              value: {{ .Values.env.auth.file.basic | toJson | quote }}
+            {{- end }}
 
             {{- if .Values.global.externalDatabase.enabled }}
             - name: CONVOY_DB_SCHEME
@@ -183,7 +193,7 @@ spec:
               value: {{ .Values.env.smtp.url | quote }}
             - name: CONVOY_SMTP_USERNAME
               value: {{ .Values.env.smtp.username | quote }}
-            {{- if ne .Values.env.smtp.secret "" }}
+            {{- if and .Values.env.smtp.secret (ne .Values.env.smtp.secret "") }}
             - name: CONVOY_SMTP_PASSWORD
               valueFrom:
                 secretKeyRef:
@@ -237,7 +247,7 @@ spec:
               value: {{ .Values.env.storage.s3.bucket | quote }}
             - name: CONVOY_STORAGE_AWS_ACCESS_KEY
               value: {{ .Values.env.storage.s3.accessKey | quote }}
-            {{- if ne .Values.env.storage.s3.secret "" }}
+            {{- if and .Values.env.storage.s3.secret (ne .Values.env.storage.s3.secret "") }}
             - name: CONVOY_STORAGE_AWS_SECRET_KEY
               valueFrom:
                 secretKeyRef:

charts/agent/values.yaml

@@ -20,7 +20,7 @@ global:
     read_replica_dsn: ""
 
   externalDatabase:
-    enabled: true
+    enabled: false
     host: "postgresql"
     password: "postgres"
     database: "convoy"
@@ -40,13 +40,13 @@ global:
   externalRedis:
     enabled: false
     addresses: ""
-    host: ""
-    scheme: ""
+    host: "redis-master"
+    scheme: "redis"
     username: ""
     password: ""
     secret: ""
-    database: ""
-    port: ""
+    database: "0"
+    port: "6379"
 
 app:
   replicaCount: 1
@@ -64,14 +64,22 @@ app:
     prometheus.io/port: "{{ .Values.app.port }}"
 
 env:
-  sign_up_enabled: false
-  environment: ""
+  environment: "oss"
   proxy: ""
+  sign_up_enabled: false
   log_level: "error"
+  auth:
+    file:
+      basic: []
+      # -- If this secret parameter is not empty, basic auth inline value will be ignored. The basic auth config should be in the 'basic_auth_config' key
+      secret: ""
   smtp:
-    enabled: true
+    enabled: false
     from: ""
+    # -- Ignored in case of secret parameter with non-empty value
     password: ""
+    # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key
+    secret: ""
     port: 0
     provider: ""
     url: ""
@@ -80,7 +88,7 @@ env:
     reply_to: ""
   tracer:
     enabled: false
-    type: ""
+    type: "otel"
     otel:
       otel_auth:
         header_name: ""
@@ -110,7 +118,10 @@ env:
       bucket: ""
       prefix: ""
       accessKey: ""
+      # -- Ignored in case of secret parameter with non-empty value
       secretKey: ""
+      # -- If this secret parameter is not empty, secretKey value will be ignored. The password in the secret should be in the 'secretKey' key
+      secret: ""
       region: ""
       session_token: ""
       endpoint: ""
@@ -136,7 +147,7 @@ env:
 # - global.convoy.tag
 image:
   repository: getconvoy/convoy
-  pullPolicy: Always
+  pullPolicy: IfNotPresent
   tag: v25.9.2
 
 nameOverride: "convoy-agent"
@@ -148,7 +159,7 @@ service:
 
 autoscaling:
   enabled: true
-  minReplicas: 1
+  minReplicas: 2
   maxReplicas: 10
   targetCPUUtilizationPercentage: 80
   targetMemoryUtilizationPercentage: 80

charts/server/templates/deployment.yaml

@@ -134,10 +134,16 @@ spec:
             {{- end }}
             - name: CONVOY_JWT_REALM_ENABLED
               value: {{ .Values.env.auth.jwt.enabled | quote }}
-            {{- if .Values.env.auth.file.basic }}
+            {{- if ne .Values.env.auth.file.secret "" }}
+            - name: CONVOY_BASIC_AUTH_CONFIG
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.env.auth.file.secret }}"
+                  key: basic_auth_config
+            {{- else if .Values.env.auth.file.basic }}
             - name: CONVOY_BASIC_AUTH_CONFIG
               value: {{ .Values.env.auth.file.basic | toJson | quote }}
-            {{ end }}
+            {{- end }}
 
             {{- if .Values.global.externalDatabase.enabled }}
             - name: CONVOY_DB_SCHEME

charts/server/values.yaml

@@ -20,7 +20,7 @@ global:
     read_replica_dsn: ""
 
   externalDatabase:
-    enabled: true
+    enabled: false
     host: "postgresql"
     password: "postgres"
     database: "convoy"
@@ -33,20 +33,20 @@ global:
   nativeRedis:
     enabled: true
     host: "redis-master"
-    password: "convoy"
+    password: ""
     secret: ""
     port: 6379
 
   externalRedis:
     enabled: false
     addresses: ""
-    host: ""
-    scheme: ""
+    host: "redis-master"
+    scheme: "redis"
     username: ""
     password: ""
     secret: ""
-    database: ""
-    port: ""
+    database: "0"
+    port: "6379"
 
 app:
   replicaCount: 1
@@ -74,6 +74,8 @@ env:
       enabled: true
     file:
       basic: []
+      # -- If this secret parameter is not empty, basic auth inline value will be ignored. The basic auth config should be in the 'basic_auth_config' key
+      secret: ""
   log_level: "error"
   max_response_size: 50
   environment: ""
@@ -101,6 +103,8 @@ env:
       prefix: ""
       accessKey: ""
       secretKey: ""
+      # -- If this secret parameter is not empty, secretKey value will be ignored. The password in the secret should be in the 'secretKey' key
+      secret: ""
       region: ""
       session_token: ""
       endpoint: ""

ct.yaml

@@ -3,7 +3,8 @@ chart-dirs:
   - charts
 chart-repos:
   - bitnami=https://charts.bitnami.com/bitnami
-helm-extra-args: --timeout 600s
+helm-extra-args: --timeout 300s --wait --wait-for-jobs
+upgrade: true
 check-version-increment: true
 debug: true
 validate-maintainers: false

values.yaml

@@ -107,25 +107,30 @@ global:
     # -- redis cluster addresses, if set the other values won't be used
     addresses: ""
     # -- Host for the external redis
-    host: ""
+    host: "redis-master"
     # -- Scheme for the external redis. This can be redis, rediss, redis-socket or redis-sentinel
-    scheme: ""
+    scheme: "redis"
     # -- username for the external redis.
     username: ""
     # -- password for the external redis, ignored in case of secret parameter with non-empty value
-    password: ""
+    password: "convoy"
     # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key
     secret: ""
     # -- Database name for the external redis.
-    database: ""
+    database: "0"
     # -- Port for the external redis
-    port: ""
+    port: "6379"
 
 # @ignored, used in case of external chart
 postgresql:
   # -- Set to false if you don't want to create a postgres instance
   enabled: true
   fullnameOverride: "postgresql"
+  image:
+    registry: docker.io
+    repository: bitnamilegacy/postgresql
+    tag:  17.6.0-debian-12-r0
+    pullPolicy: IfNotPresent 
   global:
     postgresql:
       auth:
@@ -138,6 +143,11 @@ postgresql:
 redis:
   # -- Set to false if you don't want to create a redis instance
   enabled: true
+  image:
+    registry: docker.io
+    repository: bitnamilegacy/redis
+    tag:  8.2.1-debian-12-r0
+    pullPolicy: IfNotPresent   
   architecture: standalone
   fullnameOverride: "redis"
   auth:
@@ -282,6 +292,8 @@ server:
         enabled: true
       file:
         basic: {}
+        # -- If this secret parameter is not empty, basic auth inline value will be ignored. The basic auth config should be in the 'basic_auth_config' key
+        secret: ""
     # @ignored
     tracer:
       type: *tracerType