improvement(helm): added additional envvars to helm charts#1695
Merged
waleedlatif1 merged 2 commits intostagingfrom Oct 21, 2025
Merged
improvement(helm): added additional envvars to helm charts#1695waleedlatif1 merged 2 commits intostagingfrom
waleedlatif1 merged 2 commits intostagingfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Greptile Overview
Summary
This PR adds three new environment variables to the Helm charts: INTERNAL_API_SECRET, CRON_SECRET, and API_ENCRYPTION_KEY. The changes are consistently applied across all example configuration files.
Key Changes:
- Added
INTERNAL_API_SECRETfor internal service-to-service authentication (required, validated inapps/sim/lib/env.ts:27) - Added
CRON_SECRETfor authenticating scheduled job requests (used inhelm/sim/templates/cronjobs.yaml:64) - Added
API_ENCRYPTION_KEYfor encrypting API keys at rest in the database (optional, validated inapps/sim/lib/env.ts:26) - Updated README.md with comprehensive security documentation
- Consistently updated all 7 example values files (aws, azure, gcp, production, development, external-db, whitelabeled)
Issues Found:
- Documentation inconsistency:
CRON_SECRETis marked as REQUIRED in the Helm chart documentation but defined as optional in the environment schema - Confusing instructions for
API_ENCRYPTION_KEYgeneration (mentions "64-character hex string" but schema requires min 32)
Confidence Score: 3/5
- This PR is mostly safe to merge but has documentation inconsistencies that should be addressed
- Score of 3 reflects that while the implementation is correct and consistent across all files, there are documentation inconsistencies between the Helm chart documentation and the actual environment schema that could confuse users and lead to runtime issues. The CRON_SECRET mismatch could result in users not setting it when they should (if it's truly required) or setting it unnecessarily (if it's truly optional).
- Pay attention to
helm/sim/README.mdto resolve the CRON_SECRET requirement inconsistency and API_ENCRYPTION_KEY generation instruction clarity
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| helm/sim/README.md | 3/5 | Adds documentation for three new environment variables (INTERNAL_API_SECRET, CRON_SECRET, API_ENCRYPTION_KEY). Contains inconsistency where CRON_SECRET is marked as required but is optional in env schema, and confusing instructions for API_ENCRYPTION_KEY generation. |
| helm/sim/values.yaml | 4/5 | Adds three new environment variables with inline comments. Properly marks INTERNAL_API_SECRET and CRON_SECRET as REQUIRED, API_ENCRYPTION_KEY as OPTIONAL. Comments are clear and helpful. |
| helm/sim/examples/values-production.yaml | 5/5 | Adds the three new environment variables to production example with placeholder values and clear comments. Properly structured for production use case. |
Sequence Diagram
sequenceDiagram
participant Dev as Developer
participant Helm as Helm Chart
participant K8s as Kubernetes
participant App as Application Pod
participant Cron as CronJob Pod
participant EnvSchema as Environment Schema
Note over Dev,EnvSchema: Environment Variable Configuration Flow
Dev->>Helm: Deploy with values.yaml
Note over Helm: INTERNAL_API_SECRET=""<br/>CRON_SECRET=""<br/>API_ENCRYPTION_KEY=""
Helm->>K8s: Create deployment manifests
K8s->>App: Start application pod
App->>EnvSchema: Validate env vars (apps/sim/lib/env.ts)
alt INTERNAL_API_SECRET validation
EnvSchema->>EnvSchema: Check .string().min(32) [REQUIRED]
EnvSchema-->>App: ✓ Pass or ✗ Fail
end
alt CRON_SECRET validation
EnvSchema->>EnvSchema: Check .string().optional()
Note over EnvSchema: Inconsistency: Helm docs say REQUIRED<br/>but env.ts defines as optional
EnvSchema-->>App: ✓ Always passes (optional)
end
alt API_ENCRYPTION_KEY validation
EnvSchema->>EnvSchema: Check .string().min(32).optional()
EnvSchema-->>App: ✓ Pass (optional)
end
App->>App: Use INTERNAL_API_SECRET for service auth
App->>App: Use API_ENCRYPTION_KEY for API key encryption (if set)
K8s->>Cron: Start scheduled cron job
Cron->>Cron: Read CRON_SECRET from env
Cron->>App: HTTP Request with Authorization: Bearer ${CRON_SECRET}
App->>App: Validate CRON_SECRET
App-->>Cron: Response
9 files reviewed, 2 comments
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
added additional envvars to helm charts with documentation
Type of Change
Testing
Tested manually
Checklist