feat: create K8s Secret for licence token

[flemzord]

Summary

• New template licence-secret.yaml: creates a K8s Secret (<release>-licence) containing token and issuer when global.licence.createSecret=true and token is non-empty
• Updated core.licence.env helper: 3-tier resolution for LICENCE_TOKEN and LICENCE_ISSUER — existingSecret > createSecret auto-name > plain value fallback
• Improved values.yaml docs: explains how to share the Secret with the Operator via existingSecret

Usage modes

Mode	Values	Result
Auto	createSecret: true, token: xxx	Creates <release>-licence, Operator creates its own
Shared	createSecret: true, token: xxx, existingSecret: <release>-licence	Creates <release>-licence, Operator reuses it
Manual	createSecret: false, existingSecret: my-secret	No secret created, both reference my-secret
Legacy	createSecret: false, token: xxx	No secret, token as plain env var

Test plan

• helm template with createSecret=true + token → Secret rendered with secretKeyRef in env vars
• helm template with existingSecret set → Secret uses custom name
• helm template without token → no Secret created
• helm template with createSecret=false → legacy plain value fallback
• helm lint passes in both CE and EE modes
• Full render (CE + EE) produces valid YAML without errors

[coderabbitai]

Walkthrough

This pull request adds secret-based token handling to the licence environment template in the Helm chart. It introduces logic to resolve and use Kubernetes secrets for licence credentials, with fallback support for direct value configuration. The changes update template defaults and enable conditional secret creation based on configuration.

Changes

Cohort / File(s)	Summary
Licence Secret Configuration charts/core/templates/_licence.tpl	Adds secret resolution logic for LICENCE_TOKEN and LICENCE_ISSUER with fallback to direct values. Introduces licence.existingSecret and licence.createSecret handling with secretName derivation from release name. Updates defaults to enable createSecret and configure secret key mappings.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A token tucked in secrets deep,
Where licence keys and issuer sleep,
With fallback paths for values free,
The chart now hops more securely!
✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: create K8s Secret for licence token' clearly and concisely summarizes the main change—adding Kubernetes Secret creation for licence tokens—which matches the primary focus of the changeset.
Description check	✅ Passed	The description is well-detailed and directly related to the changeset, explaining the new licence-secret.yaml template, the updated core.licence.env helper with 3-tier resolution, improved documentation, and comprehensive test coverage.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/licence-secret

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

charts/core/templates/_licence.tpl (1)

45-49: Consider making issuer secret key configurable for symmetry.

LICENCE_TOKEN key is configurable, but Line 49 hardcodes "issuer". Adding licence.secretKeys.issuer would keep token/issuer behavior consistent and reduce coupling to secret-template internals.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@charts/core/templates/_licence.tpl` around lines 45 - 49, The template hardcodes the secret key "issuer" while LICENCE_TOKEN is configurable; add a chart value (e.g., licence.secretKeys.issuer) and use it instead of the literal to keep behavior symmetric. Update the template conditional that references $secretName to read the new value (e.g., $issuerKey or .Values.licence.secretKeys.issuer) and replace the hardcoded "issuer" under secretKeyRef.key so the key is configurable alongside LICENCE_TOKEN. 

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed. Inline comments: In `@charts/core/templates/_licence.tpl`: - Around line 30-31: $secretName and the emitted secretKeyRef must be gated on both $createSecret == "true" and a non-empty $token to avoid referencing a Secret that is never created; update the conditional that sets $secretName (currently using $createSecret and printing "%s-licence") to also require the token be non-empty (or else leave $secretName unset/empty), and wrap the block that emits the secretKeyRef (the template code around the secretKeyRef emission) with the same check (e.g., only render secretKeyRef when both $createSecret == "true" and $token is non-empty) so the pod spec never references a missing Secret. --- Nitpick comments: In `@charts/core/templates/_licence.tpl`: - Around line 45-49: The template hardcodes the secret key "issuer" while LICENCE_TOKEN is configurable; add a chart value (e.g., licence.secretKeys.issuer) and use it instead of the literal to keep behavior symmetric. Update the template conditional that references $secretName to read the new value (e.g., $issuerKey or .Values.licence.secretKeys.issuer) and replace the hardcoded "issuer" under secretKeyRef.key so the key is configurable alongside LICENCE_TOKEN. 

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between fcbc14c and 8e9c9e1.

⛔ Files ignored due to path filters (5)

• charts/formance/Chart.lock is excluded by !**/*.lock, !**/*.lock
• charts/formance/templates/licence-secret.yaml is excluded by !**/*.yaml
• charts/formance/values.yaml is excluded by !**/*.yaml
• charts/membership/Chart.lock is excluded by !**/*.lock, !**/*.lock
• charts/regions/Chart.lock is excluded by !**/*.lock, !**/*.lock

📒 Files selected for processing (1)

• charts/core/templates/_licence.tpl

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Gate auto-secret resolution on non-empty token to avoid broken secretKeyRefs.

At Line 30–31, $secretName is set whenever createSecret == "true". But the Secret is only created when token is non-empty, so Line 34–49 can emit secretKeyRef to a non-existent Secret and block pod startup.

Proposed fix

 {{- $existingSecret := include "resolveGlobalOrServiceValue" (dict "Context" . "Key" "licence.existingSecret" "Default" "") -}} {{- $createSecret := include "resolveGlobalOrServiceValue" (dict "Context" . "Key" "licence.createSecret" "Default" "false") -}} +{{- $token := include "resolveGlobalOrServiceValue" (dict "Context" . "Key" "licence.token" "Default" "") -}} {{- $secretName := "" -}} {{- if $existingSecret -}} {{- $secretName = $existingSecret -}} -{{- else if eq $createSecret "true" -}} +{{- else if and (eq $createSecret "true") $token -}} {{- $secretName = printf "%s-licence" .Release.Name -}} {{- end }} - name: LICENCE_TOKEN {{- if $secretName }} valueFrom: secretKeyRef: name: {{ $secretName | quote }} key: {{ include "resolveGlobalOrServiceValue" (dict "Context" . "Key" "licence.secretKeys.token" "Default" "token") | quote }} {{- else }} - value: {{ include "resolveGlobalOrServiceValue" (dict "Context" . "Key" "licence.token" "Default" "") | quote }} + value: {{ $token | quote }} {{- end }}

Also applies to: 34-49

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@charts/core/templates/_licence.tpl` around lines 30 - 31, $secretName and the emitted secretKeyRef must be gated on both $createSecret == "true" and a non-empty $token to avoid referencing a Secret that is never created; update the conditional that sets $secretName (currently using $createSecret and printing "%s-licence") to also require the token be non-empty (or else leave $secretName unset/empty), and wrap the block that emits the secretKeyRef (the template code around the secretKeyRef emission) with the same check (e.g., only render secretKeyRef when both $createSecret == "true" and $token is non-empty) so the pod spec never references a missing Secret. 

[Dav-14]

Why ? The issuer is not a secret ?