Context
Corveil grows three new platform integrations that the chart must wire:
- Stripe — billing API secret + webhook signing secret.
- Okta OIDC — client ID + secret for SaaS login.
- BYOK encryption key — the
CORVEIL_SECRET_KEY used to AES-256 encrypt per-org provider credentials in the database.
All three come from OCI Vault, synced into K8s Secrets by external-secrets-operator (provisioned by corveil-oci-infra). The chart should not embed secrets — it references existing Secret names the deployer provides.
Goal
Add values + templating so a deployer can point the chart at pre-existing K8s Secrets (written by ESO from OCI Vault) without modifying templates.
Work items
Acceptance
helm template . --values values-saas.yaml renders env references to all three Secrets.
helm template . --values values-selfhosted.yaml omits Stripe env vars entirely.
- A deployer with pre-created Secrets can
helm install without errors.
Dependencies
- Corveil product ticket
Stripe integration (config keys).
- Corveil product ticket
BYOK (encryption key usage).
Key files
values.yaml, values-saas.yaml (new), values-selfhosted.yaml (new)
templates/deployment.yaml / templates/env.yaml / templates/secrets.yaml
README.md
Context
Corveil grows three new platform integrations that the chart must wire:
CORVEIL_SECRET_KEYused to AES-256 encrypt per-org provider credentials in the database.All three come from OCI Vault, synced into K8s Secrets by
external-secrets-operator(provisioned by corveil-oci-infra). The chart should not embed secrets — it references existing Secret names the deployer provides.Goal
Add values + templating so a deployer can point the chart at pre-existing K8s Secrets (written by ESO from OCI Vault) without modifying templates.
Work items
values.yamladditions (with defaults commented):templates/env.yaml/templates/secrets.yaml(or the equivalent envFrom/env blocks in the Deployment) to project these asCORVEIL_*env vars from the referenced Secrets.values-saas.yaml— enables stripe + oidc, references OCI-Vault-backed Secrets.values-selfhosted.yaml— stripe disabled, licensing path enabled (separate ticket).ExternalSecretshape inREADME.mdso infra folks can wire Vault backing.Acceptance
helm template . --values values-saas.yamlrenders env references to all three Secrets.helm template . --values values-selfhosted.yamlomits Stripe env vars entirely.helm installwithout errors.Dependencies
Stripe integration(config keys).BYOK(encryption key usage).Key files
values.yaml,values-saas.yaml(new),values-selfhosted.yaml(new)templates/deployment.yaml/templates/env.yaml/templates/secrets.yamlREADME.md