docs/helm-oauth.md

# Hemmelig Helm Chart - OAuth Configuration Examples

This document demonstrates how to configure OAuth providers with the Hemmelig Helm Chart.

## Using Default Secret Management

The chart can automatically create secrets with your OAuth configuration.

The example below contains all providers supported by the Helm Chart:

```yaml
# values.yaml
config:
  betterAuthSecret: "your-auth-secret-here"
  betterAuthUrl: "https://secrets.example.com"
  baseUrl: "https://secrets.example.com"  # Required for OAuth callbacks

oauth:
  github:
    enabled: true
    clientId: "your-github-client-id"
    clientSecret: "your-github-client-secret"
  
  google:
    enabled: true
    clientId: "your-google-client-id"
    clientSecret: "your-google-client-secret"
  
  microsoft:
    enabled: true
    clientId: "your-microsoft-client-id"
    clientSecret: "your-microsoft-client-secret"
    tenantId: "your-tenant-id"  # Optional
  
  discord:
    enabled: true
    clientId: "your-discord-client-id"
    clientSecret: "your-discord-client-secret"
  
  gitlab:
    enabled: true
    clientId: "your-gitlab-client-id"
    clientSecret: "your-gitlab-client-secret"
    issuer: "https://gitlab.example.com"  # Optional, for self-hosted GitLab
  
  apple:
    enabled: true
    clientId: "your-apple-client-id"
    clientSecret: "your-apple-client-secret"
  
  twitter:
    enabled: true
    clientId: "your-twitter-client-id"
    clientSecret: "your-twitter-client-secret"
  
  generic: '[{"providerId":"authentik","discoveryUrl":"https://auth.example.com/.well-known/openid-configuration","clientId":"client-id","clientSecret":"secret","scopes":["openid","profile","email"]}]'
```

## Using Existing Secret

If you prefer to manage secrets yourself, reference an existing secret
and enable your desired providers:

```yaml
# values.yaml
existingSecret: "hemmelig-secrets"

oauth:
  github:
    enabled: true
  google:
    enabled: true
  microsoft:
    enabled: true
  discord:
    enabled: true
  gitlab:
    enabled: true
  apple:
    enabled: true
  twitter:
    enabled: true
  generic: '[{"providerId":"authentik","discoveryUrl":"https://auth.example.com/.well-known/openid-configuration","clientId":"client-id","clientSecret":"secret","scopes":["openid","profile","email"]}]'
```

Your referenced secret should contain the relevant keys for the providers enabled:

```yaml
apiVersion: v1
kind: Secret
metadata:
  name: hemmelig-secrets
type: Opaque
stringData:
  BETTER_AUTH_SECRET: "your-auth-secret"
  # GitHub
  HEMMELIG_AUTH_GITHUB_ID: "github-client-id"
  HEMMELIG_AUTH_GITHUB_SECRET: "github-client-secret"
  # Google
  HEMMELIG_AUTH_GOOGLE_ID: "google-client-id"
  HEMMELIG_AUTH_GOOGLE_SECRET: "google-client-secret"
  # Microsoft (Azure AD)
  HEMMELIG_AUTH_MICROSOFT_ID: "microsoft-client-id"
  HEMMELIG_AUTH_MICROSOFT_SECRET: "microsoft-client-secret"
  HEMMELIG_AUTH_MICROSOFT_TENANT_ID: "tenant-id" # Optional
  # Discord
  HEMMELIG_AUTH_DISCORD_ID: "discord-client-id"
  HEMMELIG_AUTH_DISCORD_SECRET: "discord-client-secret"
  # GitLab
  HEMMELIG_AUTH_GITLAB_ID: "gitlab-client-id"
  HEMMELIG_AUTH_GITLAB_SECRET: "gitlab-client-secret"
  HEMMELIG_AUTH_GITLAB_ISSUER: "https://gitlab.example.com"  # Optional
  # Apple
  HEMMELIG_AUTH_APPLE_ID: "apple-client-id"
  HEMMELIG_AUTH_APPLE_SECRET: "apple-client-secret"
  # Twitter/X
  HEMMELIG_AUTH_TWITTER_ID: "twitter-client-id"
  HEMMELIG_AUTH_TWITTER_SECRET: "twitter-client-secret"
  # Generic OAuth (JSON array - supports any OAuth 2.0 / OIDC provider)
  HEMMELIG_AUTH_GENERIC_OAUTH: "[{"providerId":"authentik","discoveryUrl":"https://auth.example.com/.well-known/openid-configuration","clientId":"client-id","clientSecret":"client-secret","scopes":["openid","profile","email"]}]"
```

## Notes

- All `HEMMELIG_AUTH_*` variables require both `_ID` and `_SECRET`
to enable a provider, except the "Generic" type.

If you enable a provider and not include the required environment variables for it,
the pod will fail to start with CreateContainerConfigError, with an event
similar to the one below:

```
Error: couldn't find key HEMMELIG_AUTH_<missing_env> in Secret default/hemmelig
```

- All OAuth environment variables will be automatically injected into
the deployment, sourced either from the chart-generated secret
or your existing secret.

- If the `existingSecret` value is provided, the `clientId`, `clientSecret`, etc.
values are ignored from the `values.yaml`
feat: rebrand Hemmelig to paste.es for cloudhost.es - Set Spanish as default language with ephemeral/encrypted privacy focus - Translate all user-facing strings and legal pages to Spanish - Replace Norwegian flag with Spanish flag in footer - Remove Hemmelig/terces.cloud links, add cloudhost.es sponsorship - Rewrite PrivacyPage: zero data collection, ephemeral design emphasis - Rewrite TermsPage: Spanish law, RGPD, paste.es/CloudHost.es references - Update PWA manifest, HTML meta tags, package.json branding - Rename webhook headers to X-Paste-Event / X-Paste-Signature - Update API docs title and contact to paste.es / cloudhost.es Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-24 09:30:19 +01:00			`# Hemmelig Helm Chart - OAuth Configuration Examples`

			`This document demonstrates how to configure OAuth providers with the Hemmelig Helm Chart.`

			`## Using Default Secret Management`

			`The chart can automatically create secrets with your OAuth configuration.`

			`The example below contains all providers supported by the Helm Chart:`

			```yaml
			`# values.yaml`
			`config:`
			`betterAuthSecret: "your-auth-secret-here"`
			`betterAuthUrl: "https://secrets.example.com"`
			`baseUrl: "https://secrets.example.com" # Required for OAuth callbacks`

			`oauth:`
			`github:`
			`enabled: true`
			`clientId: "your-github-client-id"`
			`clientSecret: "your-github-client-secret"`

			`google:`
			`enabled: true`
			`clientId: "your-google-client-id"`
			`clientSecret: "your-google-client-secret"`

			`microsoft:`
			`enabled: true`
			`clientId: "your-microsoft-client-id"`
			`clientSecret: "your-microsoft-client-secret"`
			`tenantId: "your-tenant-id" # Optional`

			`discord:`
			`enabled: true`
			`clientId: "your-discord-client-id"`
			`clientSecret: "your-discord-client-secret"`

			`gitlab:`
			`enabled: true`
			`clientId: "your-gitlab-client-id"`
			`clientSecret: "your-gitlab-client-secret"`
			`issuer: "https://gitlab.example.com" # Optional, for self-hosted GitLab`

			`apple:`
			`enabled: true`
			`clientId: "your-apple-client-id"`
			`clientSecret: "your-apple-client-secret"`

			`twitter:`
			`enabled: true`
			`clientId: "your-twitter-client-id"`
			`clientSecret: "your-twitter-client-secret"`

			`generic: '[{"providerId":"authentik","discoveryUrl":"https://auth.example.com/.well-known/openid-configuration","clientId":"client-id","clientSecret":"secret","scopes":["openid","profile","email"]}]'`
			```

			`## Using Existing Secret`

			`If you prefer to manage secrets yourself, reference an existing secret`
			`and enable your desired providers:`

			```yaml
			`# values.yaml`
			`existingSecret: "hemmelig-secrets"`

			`oauth:`
			`github:`
			`enabled: true`
			`google:`
			`enabled: true`
			`microsoft:`
			`enabled: true`
			`discord:`
			`enabled: true`
			`gitlab:`
			`enabled: true`
			`apple:`
			`enabled: true`
			`twitter:`
			`enabled: true`
			`generic: '[{"providerId":"authentik","discoveryUrl":"https://auth.example.com/.well-known/openid-configuration","clientId":"client-id","clientSecret":"secret","scopes":["openid","profile","email"]}]'`
			```

			`Your referenced secret should contain the relevant keys for the providers enabled:`

			```yaml
			`apiVersion: v1`
			`kind: Secret`
			`metadata:`
			`name: hemmelig-secrets`
			`type: Opaque`
			`stringData:`
			`BETTER_AUTH_SECRET: "your-auth-secret"`
			`# GitHub`
			`HEMMELIG_AUTH_GITHUB_ID: "github-client-id"`
			`HEMMELIG_AUTH_GITHUB_SECRET: "github-client-secret"`
			`# Google`
			`HEMMELIG_AUTH_GOOGLE_ID: "google-client-id"`
			`HEMMELIG_AUTH_GOOGLE_SECRET: "google-client-secret"`
			`# Microsoft (Azure AD)`
			`HEMMELIG_AUTH_MICROSOFT_ID: "microsoft-client-id"`
			`HEMMELIG_AUTH_MICROSOFT_SECRET: "microsoft-client-secret"`
			`HEMMELIG_AUTH_MICROSOFT_TENANT_ID: "tenant-id" # Optional`
			`# Discord`
			`HEMMELIG_AUTH_DISCORD_ID: "discord-client-id"`
			`HEMMELIG_AUTH_DISCORD_SECRET: "discord-client-secret"`
			`# GitLab`
			`HEMMELIG_AUTH_GITLAB_ID: "gitlab-client-id"`
			`HEMMELIG_AUTH_GITLAB_SECRET: "gitlab-client-secret"`
			`HEMMELIG_AUTH_GITLAB_ISSUER: "https://gitlab.example.com" # Optional`
			`# Apple`
			`HEMMELIG_AUTH_APPLE_ID: "apple-client-id"`
			`HEMMELIG_AUTH_APPLE_SECRET: "apple-client-secret"`
			`# Twitter/X`
			`HEMMELIG_AUTH_TWITTER_ID: "twitter-client-id"`
			`HEMMELIG_AUTH_TWITTER_SECRET: "twitter-client-secret"`
			`# Generic OAuth (JSON array - supports any OAuth 2.0 / OIDC provider)`
			`HEMMELIG_AUTH_GENERIC_OAUTH: "[{"providerId":"authentik","discoveryUrl":"https://auth.example.com/.well-known/openid-configuration","clientId":"client-id","clientSecret":"client-secret","scopes":["openid","profile","email"]}]"`
			```

			`## Notes`

			- All `HEMMELIG_AUTH_*` variables require both `_ID` and `_SECRET`
			`to enable a provider, except the "Generic" type.`

			`If you enable a provider and not include the required environment variables for it,`
			`the pod will fail to start with CreateContainerConfigError, with an event`
			`similar to the one below:`

			```
			`Error: couldn't find key HEMMELIG_AUTH_<missing_env> in Secret default/hemmelig`
			```

			`- All OAuth environment variables will be automatically injected into`
			`the deployment, sourced either from the chart-generated secret`
			`or your existing secret.`

			- If the `existingSecret` value is provided, the `clientId`, `clientSecret`, etc.
			values are ignored from the `values.yaml`