Malin/paste.es
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3ae27ea413f6bf74d7e3f85af7f3ca2235f07c68
paste.es/docs/helm-oauth.md
Malin bc9f96cbd4 feat: rebrand Hemmelig to paste.es for cloudhost.es 
- Set Spanish as default language with ephemeral/encrypted privacy focus
- Translate all user-facing strings and legal pages to Spanish
- Replace Norwegian flag with Spanish flag in footer
- Remove Hemmelig/terces.cloud links, add cloudhost.es sponsorship
- Rewrite PrivacyPage: zero data collection, ephemeral design emphasis
- Rewrite TermsPage: Spanish law, RGPD, paste.es/CloudHost.es references
- Update PWA manifest, HTML meta tags, package.json branding
- Rename webhook headers to X-Paste-Event / X-Paste-Signature
- Update API docs title and contact to paste.es / cloudhost.es

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-24 09:30:19 +01:00

142 lines
4.3 KiB
Markdown
Raw Blame History

# Hemmelig Helm Chart - OAuth Configuration Examples
This document demonstrates how to configure OAuth providers with the Hemmelig Helm Chart.
## Using Default Secret Management
The chart can automatically create secrets with your OAuth configuration.
The example below contains all providers supported by the Helm Chart:
```yaml
# values.yaml
config:
betterAuthSecret: "your-auth-secret-here"
betterAuthUrl: "https://secrets.example.com"
baseUrl: "https://secrets.example.com" # Required for OAuth callbacks
oauth:
github:
enabled: true
clientId: "your-github-client-id"
clientSecret: "your-github-client-secret"
google:
enabled: true
clientId: "your-google-client-id"
clientSecret: "your-google-client-secret"
microsoft:
enabled: true
clientId: "your-microsoft-client-id"
clientSecret: "your-microsoft-client-secret"
tenantId: "your-tenant-id" # Optional
discord:
enabled: true
clientId: "your-discord-client-id"
clientSecret: "your-discord-client-secret"
gitlab:
enabled: true
clientId: "your-gitlab-client-id"
clientSecret: "your-gitlab-client-secret"
issuer: "https://gitlab.example.com" # Optional, for self-hosted GitLab
apple:
enabled: true
clientId: "your-apple-client-id"
clientSecret: "your-apple-client-secret"
twitter:
enabled: true
clientId: "your-twitter-client-id"
clientSecret: "your-twitter-client-secret"
generic: '[{"providerId":"authentik","discoveryUrl":"https://auth.example.com/.well-known/openid-configuration","clientId":"client-id","clientSecret":"secret","scopes":["openid","profile","email"]}]'
```
## Using Existing Secret
If you prefer to manage secrets yourself, reference an existing secret
and enable your desired providers:
```yaml
# values.yaml
existingSecret: "hemmelig-secrets"
oauth:
github:
enabled: true
google:
enabled: true
microsoft:
enabled: true
discord:
enabled: true
gitlab:
enabled: true
apple:
enabled: true
twitter:
enabled: true
generic: '[{"providerId":"authentik","discoveryUrl":"https://auth.example.com/.well-known/openid-configuration","clientId":"client-id","clientSecret":"secret","scopes":["openid","profile","email"]}]'
```
Your referenced secret should contain the relevant keys for the providers enabled:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: hemmelig-secrets
type: Opaque
stringData:
BETTER_AUTH_SECRET: "your-auth-secret"
# GitHub
HEMMELIG_AUTH_GITHUB_ID: "github-client-id"
HEMMELIG_AUTH_GITHUB_SECRET: "github-client-secret"
# Google
HEMMELIG_AUTH_GOOGLE_ID: "google-client-id"
HEMMELIG_AUTH_GOOGLE_SECRET: "google-client-secret"
# Microsoft (Azure AD)
HEMMELIG_AUTH_MICROSOFT_ID: "microsoft-client-id"
HEMMELIG_AUTH_MICROSOFT_SECRET: "microsoft-client-secret"
HEMMELIG_AUTH_MICROSOFT_TENANT_ID: "tenant-id" # Optional
# Discord
HEMMELIG_AUTH_DISCORD_ID: "discord-client-id"
HEMMELIG_AUTH_DISCORD_SECRET: "discord-client-secret"
# GitLab
HEMMELIG_AUTH_GITLAB_ID: "gitlab-client-id"
HEMMELIG_AUTH_GITLAB_SECRET: "gitlab-client-secret"
HEMMELIG_AUTH_GITLAB_ISSUER: "https://gitlab.example.com" # Optional
# Apple
HEMMELIG_AUTH_APPLE_ID: "apple-client-id"
HEMMELIG_AUTH_APPLE_SECRET: "apple-client-secret"
# Twitter/X
HEMMELIG_AUTH_TWITTER_ID: "twitter-client-id"
HEMMELIG_AUTH_TWITTER_SECRET: "twitter-client-secret"
# Generic OAuth (JSON array - supports any OAuth 2.0 / OIDC provider)
HEMMELIG_AUTH_GENERIC_OAUTH: "[{"providerId":"authentik","discoveryUrl":"https://auth.example.com/.well-known/openid-configuration","clientId":"client-id","clientSecret":"client-secret","scopes":["openid","profile","email"]}]"
```
## Notes
- All `HEMMELIG_AUTH_*` variables require both `_ID` and `_SECRET`
to enable a provider, except the "Generic" type.
If you enable a provider and not include the required environment variables for it,
the pod will fail to start with CreateContainerConfigError, with an event
similar to the one below:
```
Error: couldn't find key HEMMELIG_AUTH_<missing_env> in Secret default/hemmelig
```
- All OAuth environment variables will be automatically injected into
the deployment, sourced either from the chart-generated secret
or your existing secret.
- If the `existingSecret` value is provided, the `clientId`, `clientSecret`, etc.
values are ignored from the `values.yaml`
Reference in New Issue View Git Blame Copy Permalink