Skip to content

Add values surface for Stripe, OIDC, BYOK encryption key #14

Open
Open
Add values surface for Stripe, OIDC, BYOK encryption key#14
Labels
chartHelm chart template / values workenhancementNew feature or requestmigration-ociOCI + Kubernetes migration workstream
@dhilgaertner

Description

@dhilgaertner
dhilgaertner
opened on Apr 16, 2026

Context

Corveil grows three new platform integrations that the chart must wire:

  1. Stripe — billing API secret + webhook signing secret.
  2. Okta OIDC — client ID + secret for SaaS login.
  3. BYOK encryption key — the CORVEIL_SECRET_KEY used to AES-256 encrypt per-org provider credentials in the database.

All three come from OCI Vault, synced into K8s Secrets by external-secrets-operator (provisioned by corveil-oci-infra). The chart should not embed secrets — it references existing Secret names the deployer provides.

Goal

Add values + templating so a deployer can point the chart at pre-existing K8s Secrets (written by ESO from OCI Vault) without modifying templates.

Work items

  • values.yaml additions (with defaults commented): 
    stripe:
  enabled: false
  secretKeyRef:
    name: corveil-stripe
    keys:
      secretKey: stripe-secret-key
      webhookSecret: stripe-webhook-secret
  priceIdPerSeat: ""
  allowedCountries: ["US"]
  taxEnabled: false
  successUrl: ""
  cancelUrl: ""

oidc:
  provider: okta
  issuer: ""
  secretKeyRef:
    name: corveil-oidc
    keys:
      clientId: okta-client-id
      clientSecret: okta-client-secret

byok:
  encryptionKeySecretRef:
    name: corveil-byok
    key: secret-key
  • Extend templates/env.yaml / templates/secrets.yaml (or the equivalent envFrom/env blocks in the Deployment) to project these as CORVEIL_* env vars from the referenced Secrets.
  • Ship two reference values files:
    • values-saas.yaml — enables stripe + oidc, references OCI-Vault-backed Secrets.
    • values-selfhosted.yaml — stripe disabled, licensing path enabled (separate ticket).
  • Document the expected ESO ExternalSecret shape in README.md so infra folks can wire Vault backing.

Acceptance

  • helm template . --values values-saas.yaml renders env references to all three Secrets.
  • helm template . --values values-selfhosted.yaml omits Stripe env vars entirely.
  • A deployer with pre-created Secrets can helm install without errors.

Dependencies

  • Corveil product ticket Stripe integration (config keys).
  • Corveil product ticket BYOK (encryption key usage).

Key files

  • values.yaml, values-saas.yaml (new), values-selfhosted.yaml (new)
  • templates/deployment.yaml / templates/env.yaml / templates/secrets.yaml
  • README.md

Metadata

Metadata

Assignees

No one assigned

    Labels

    chartHelm chart template / values workenhancementNew feature or requestmigration-ociOCI + Kubernetes migration workstream

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions