feat: add SMTP config to Helm chart and Woodpecker pipeline

- Add SMTP_PORT, SMTP_FROM, ADMIN_EMAIL, FRONTEND_URL to ConfigMap - Add Helm-managed SMTP secret for credentials (host, user, password) - Wire Woodpecker secrets into deploy step via --set flags - SMTP secret conditionally created only when values are provided
2026-02-27 13:31:37 +01:00
parent e07f4c4c64
commit 2e5d7b726b
5 changed files with 41 additions and 1 deletions
--- a/backend/.env.example
+++ b/backend/.env.example
@@ -60,3 +60,4 @@ TURNSTILE_SECRET_KEY=

 # Notifications
 ADMIN_EMAIL=
+FRONTEND_URL=http://localhost:5173
--- a/backend/.woodpecker.yml
+++ b/backend/.woodpecker.yml
@@ -44,6 +44,12 @@ steps:
    environment:
      KUBECONFIG_DATA:
        from_secret: kubeconfig
+      SMTP_HOST:
+        from_secret: smtp_host
+      SMTP_USER:
+        from_secret: smtp_user
+      SMTP_PASSWORD:
+        from_secret: smtp_password
    commands:
      - mkdir -p ~/.kube
      - echo "$KUBECONFIG_DATA" > ~/.kube/config
@@ -52,6 +58,9 @@ steps:
        helm upgrade --install marktvogt-backend ./deploy/helm/ \
          --namespace tenant-1 \
          --set image.tag="${CI_COMMIT_SHA:0:8}" \
+          --set smtp.host="$SMTP_HOST" \
+          --set smtp.user="$SMTP_USER" \
+          --set smtp.password="$SMTP_PASSWORD" \
          --atomic \
          --timeout 5m
    when:
--- a/backend/deploy/helm/templates/deployment.yaml
+++ b/backend/deploy/helm/templates/deployment.yaml
@@ -35,12 +35,17 @@ spec:
              containerPort: {{ .Values.service.targetPort }}
              protocol: TCP
          envFrom:
-            # Non-sensitive config (CORS, rate limits, TTLs, URLs)
+            # Non-sensitive config (CORS, rate limits, TTLs, URLs, SMTP settings)
            - configMapRef:
                name: {{ include "marktvogt-backend.fullname" . }}-config
            # Sensitive config (JWT secret, OAuth keys, Sentry DSN)
            - secretRef:
                name: {{ .Values.secretName }}
+            {{- if and .Values.smtp.host .Values.smtp.password }}
+            # SMTP credentials (Helm-managed, passed via CI)
+            - secretRef:
+                name: {{ include "marktvogt-backend.fullname" . }}-smtp
+            {{- end }}
          env:
            # DB credentials from CNPG-managed secret
            - name: DB_HOST
--- a/backend/deploy/helm/templates/smtp-secret.yaml
+++ b/backend/deploy/helm/templates/smtp-secret.yaml
@@ -0,0 +1,14 @@
+{{- if and .Values.smtp.host .Values.smtp.password }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "marktvogt-backend.fullname" . }}-smtp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "marktvogt-backend.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  SMTP_HOST: {{ .Values.smtp.host | quote }}
+  SMTP_USER: {{ .Values.smtp.user | quote }}
+  SMTP_PASSWORD: {{ .Values.smtp.password | quote }}
+{{- end }}
--- a/backend/deploy/helm/values.yaml
+++ b/backend/deploy/helm/values.yaml
@@ -73,12 +73,23 @@ config:
  MAGIC_LINK_TTL: "15m"
  MAGIC_LINK_BASE_URL: "https://marktvogt.de/auth/magic-link/verify"
  OAUTH_REDIRECT_BASE_URL: "https://api.marktvogt.de"
+  SMTP_PORT: "587"
+  SMTP_FROM: "noreply@marktvogt.de"
+  ADMIN_EMAIL: "christian@nachtigall.dev"
+  FRONTEND_URL: "https://marktvogt.de"

 # Name of the manually-created Secret containing:
 #   JWT_SECRET, SENTRY_DSN,
 #   OAUTH_{GOOGLE,APPLE,FACEBOOK,GITHUB}_{CLIENT_ID,CLIENT_SECRET}
 secretName: marktvogt-backend-secrets

+# SMTP credentials — passed via Woodpecker secrets during deploy.
+# Rendered into a Helm-managed K8s Secret.
+smtp:
+  host: ""
+  user: ""
+  password: ""
+
 # CloudNativePG Postgres cluster
 postgres:
  enabled: false