diff --git a/backend/.env.example b/backend/.env.example index 9b5c4d5..01ff8f3 100644 --- a/backend/.env.example +++ b/backend/.env.example @@ -60,3 +60,4 @@ TURNSTILE_SECRET_KEY= # Notifications ADMIN_EMAIL= +FRONTEND_URL=http://localhost:5173 diff --git a/backend/.woodpecker.yml b/backend/.woodpecker.yml index aa7c8f1..330102f 100644 --- a/backend/.woodpecker.yml +++ b/backend/.woodpecker.yml @@ -44,6 +44,12 @@ steps: environment: KUBECONFIG_DATA: from_secret: kubeconfig + SMTP_HOST: + from_secret: smtp_host + SMTP_USER: + from_secret: smtp_user + SMTP_PASSWORD: + from_secret: smtp_password commands: - mkdir -p ~/.kube - echo "$KUBECONFIG_DATA" > ~/.kube/config @@ -52,6 +58,9 @@ steps: helm upgrade --install marktvogt-backend ./deploy/helm/ \ --namespace tenant-1 \ --set image.tag="${CI_COMMIT_SHA:0:8}" \ + --set smtp.host="$SMTP_HOST" \ + --set smtp.user="$SMTP_USER" \ + --set smtp.password="$SMTP_PASSWORD" \ --atomic \ --timeout 5m when: diff --git a/backend/deploy/helm/templates/deployment.yaml b/backend/deploy/helm/templates/deployment.yaml index ee5f118..96e9e14 100644 --- a/backend/deploy/helm/templates/deployment.yaml +++ b/backend/deploy/helm/templates/deployment.yaml @@ -35,12 +35,17 @@ spec: containerPort: {{ .Values.service.targetPort }} protocol: TCP envFrom: - # Non-sensitive config (CORS, rate limits, TTLs, URLs) + # Non-sensitive config (CORS, rate limits, TTLs, URLs, SMTP settings) - configMapRef: name: {{ include "marktvogt-backend.fullname" . }}-config # Sensitive config (JWT secret, OAuth keys, Sentry DSN) - secretRef: name: {{ .Values.secretName }} + {{- if and .Values.smtp.host .Values.smtp.password }} + # SMTP credentials (Helm-managed, passed via CI) + - secretRef: + name: {{ include "marktvogt-backend.fullname" . }}-smtp + {{- end }} env: # DB credentials from CNPG-managed secret - name: DB_HOST diff --git a/backend/deploy/helm/templates/smtp-secret.yaml b/backend/deploy/helm/templates/smtp-secret.yaml new file mode 100644 index 0000000..5df42a6 --- /dev/null +++ b/backend/deploy/helm/templates/smtp-secret.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.smtp.host .Values.smtp.password }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "marktvogt-backend.fullname" . }}-smtp + namespace: {{ .Release.Namespace }} + labels: + {{- include "marktvogt-backend.labels" . | nindent 4 }} +type: Opaque +stringData: + SMTP_HOST: {{ .Values.smtp.host | quote }} + SMTP_USER: {{ .Values.smtp.user | quote }} + SMTP_PASSWORD: {{ .Values.smtp.password | quote }} +{{- end }} diff --git a/backend/deploy/helm/values.yaml b/backend/deploy/helm/values.yaml index f0d0781..f7d80fa 100644 --- a/backend/deploy/helm/values.yaml +++ b/backend/deploy/helm/values.yaml @@ -73,12 +73,23 @@ config: MAGIC_LINK_TTL: "15m" MAGIC_LINK_BASE_URL: "https://marktvogt.de/auth/magic-link/verify" OAUTH_REDIRECT_BASE_URL: "https://api.marktvogt.de" + SMTP_PORT: "587" + SMTP_FROM: "noreply@marktvogt.de" + ADMIN_EMAIL: "christian@nachtigall.dev" + FRONTEND_URL: "https://marktvogt.de" # Name of the manually-created Secret containing: # JWT_SECRET, SENTRY_DSN, # OAUTH_{GOOGLE,APPLE,FACEBOOK,GITHUB}_{CLIENT_ID,CLIENT_SECRET} secretName: marktvogt-backend-secrets +# SMTP credentials — passed via Woodpecker secrets during deploy. +# Rendered into a Helm-managed K8s Secret. +smtp: + host: "" + user: "" + password: "" + # CloudNativePG Postgres cluster postgres: enabled: false