Self-hosted license: Job + Secret mount at /etc/corveil/license.jwt

[dhilgaertner]

Context

Self-hosted Corveil reads a signed RS256 JWT at boot (see corveil issue: self-hosted license verification). The chart needs a clean way to materialize the license in the pod, either via a Secret the deployer creates or a values-provided raw JWT.

Goal

A license.* values block + a templates/license-secret.yaml + a Deployment volume mount so Corveil finds the license at /etc/corveil/license.jwt.

Work items

• values.yaml:

  license:
    enabled: false
    # Option A: inline (NOT recommended for prod; convenient for testing)
    jwt: ""
    # Option B: existing Secret with key `license.jwt`
    existingSecret: ""

• If license.enabled && license.jwt, a templates/license-secret.yaml renders a Secret named {{ include "corveil.fullname" . }}-license with key license.jwt.
• If license.enabled, Deployment mounts the Secret (from existingSecret or the rendered one) at /etc/corveil/license.jwt read-only.
• Document:
  • How to mint a license via the CLI (link to corveil product docs).
  • Why this is disabled by default (SaaS doesn't need it).

Acceptance

• helm install with license.enabled=true + license.jwt=<valid> renders the Secret and mounts it; Corveil boots and logs license loaded.
• helm install with defaults boots Corveil in community mode (no license mount, no Secret).

Dependencies

• Corveil product ticket for license verification.

Key files

• values.yaml
• templates/license-secret.yaml (new)
• templates/deployment.yaml (volume mount)
• README.md (licensing section)