From 72834ba0bc39d1904381c53f7272ce65ef47493f Mon Sep 17 00:00:00 2001 From: ihaardik Date: Tue, 7 Apr 2026 01:27:03 +0530 Subject: [PATCH 1/3] Add SMTP config mapping for Countly hosted deployments --- .../templates/external-secret-common.yaml | 20 +++++++++++++++++-- charts/countly/templates/secret-common.yaml | 6 ++++++ charts/countly/values.schema.json | 6 ++++++ charts/countly/values.yaml | 12 +++++++++++ docs/SECRET-MANAGEMENT.md | 7 +++++++ environments/reference/countly.yaml | 8 ++++++++ .../reference/credentials-countly.yaml | 5 +++++ .../reference/external-secrets.example.yaml | 3 +++ 8 files changed, 65 insertions(+), 2 deletions(-) diff --git a/charts/countly/templates/external-secret-common.yaml b/charts/countly/templates/external-secret-common.yaml index c1570b1..3360f84 100644 --- a/charts/countly/templates/external-secret-common.yaml +++ b/charts/countly/templates/external-secret-common.yaml @@ -1,7 +1,7 @@ {{- if eq (.Values.secrets.mode | default "values") "externalSecret" }} {{- if not .Values.secrets.common.existingSecret }} {{- $commonRemote := .Values.secrets.externalSecret.remoteRefs.common | default dict -}} -{{- $commonUsesExternal := or $commonRemote.encryptionReportsKey $commonRemote.webSessionSecret $commonRemote.passwordSecret -}} +{{- $commonUsesExternal := or $commonRemote.encryptionReportsKey $commonRemote.webSessionSecret $commonRemote.passwordSecret $commonRemote.mailConfigAuthUser $commonRemote.mailConfigAuthPass -}} {{- if $commonUsesExternal }} apiVersion: external-secrets.io/v1 kind: ExternalSecret @@ -21,7 +21,7 @@ spec: target: name: {{ include "countly.fullname" . }}-common creationPolicy: Owner - {{- $hasCommonTemplateData := not (and $commonRemote.encryptionReportsKey $commonRemote.webSessionSecret $commonRemote.passwordSecret) }} + {{- $hasCommonTemplateData := or (not $commonRemote.encryptionReportsKey) (not $commonRemote.webSessionSecret) (not $commonRemote.passwordSecret) (and .Values.secrets.common.mailConfigAuthUser (not $commonRemote.mailConfigAuthUser)) (and .Values.secrets.common.mailConfigAuthPass (not $commonRemote.mailConfigAuthPass)) }} {{- if $hasCommonTemplateData }} template: engineVersion: v2 @@ -36,6 +36,12 @@ spec: {{- if not .Values.secrets.externalSecret.remoteRefs.common.passwordSecret }} COUNTLY_CONFIG__PASSWORDSECRET: {{ .Values.secrets.common.passwordSecret | quote }} {{- end }} + {{- if and .Values.secrets.common.mailConfigAuthUser (not .Values.secrets.externalSecret.remoteRefs.common.mailConfigAuthUser) }} + COUNTLY_CONFIG__MAIL_CONFIG_AUTH_USER: {{ .Values.secrets.common.mailConfigAuthUser | quote }} + {{- end }} + {{- if and .Values.secrets.common.mailConfigAuthPass (not .Values.secrets.externalSecret.remoteRefs.common.mailConfigAuthPass) }} + COUNTLY_CONFIG__MAIL_CONFIG_AUTH_PASS: {{ .Values.secrets.common.mailConfigAuthPass | quote }} + {{- end }} {{- end }} data: {{- if .Values.secrets.externalSecret.remoteRefs.common.encryptionReportsKey }} @@ -53,6 +59,16 @@ spec: remoteRef: key: {{ required "secrets.externalSecret.remoteRefs.common.passwordSecret is required" .Values.secrets.externalSecret.remoteRefs.common.passwordSecret }} {{- end }} + {{- if .Values.secrets.externalSecret.remoteRefs.common.mailConfigAuthUser }} + - secretKey: COUNTLY_CONFIG__MAIL_CONFIG_AUTH_USER + remoteRef: + key: {{ .Values.secrets.externalSecret.remoteRefs.common.mailConfigAuthUser }} + {{- end }} + {{- if .Values.secrets.externalSecret.remoteRefs.common.mailConfigAuthPass }} + - secretKey: COUNTLY_CONFIG__MAIL_CONFIG_AUTH_PASS + remoteRef: + key: {{ .Values.secrets.externalSecret.remoteRefs.common.mailConfigAuthPass }} + {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/charts/countly/templates/secret-common.yaml b/charts/countly/templates/secret-common.yaml index 8d17ecb..8191732 100644 --- a/charts/countly/templates/secret-common.yaml +++ b/charts/countly/templates/secret-common.yaml @@ -22,4 +22,10 @@ data: COUNTLY_CONFIG__ENCRYPTION_REPORTS_KEY: {{ include "countly.secret.value" (dict "secretName" $secretName "key" "COUNTLY_CONFIG__ENCRYPTION_REPORTS_KEY" "value" .Values.secrets.common.encryptionReportsKey "namespace" .Release.Namespace) }} COUNTLY_CONFIG__WEB_SESSION_SECRET: {{ include "countly.secret.value" (dict "secretName" $secretName "key" "COUNTLY_CONFIG__WEB_SESSION_SECRET" "value" .Values.secrets.common.webSessionSecret "namespace" .Release.Namespace) }} COUNTLY_CONFIG__PASSWORDSECRET: {{ include "countly.secret.value" (dict "secretName" $secretName "key" "COUNTLY_CONFIG__PASSWORDSECRET" "value" .Values.secrets.common.passwordSecret "namespace" .Release.Namespace) }} + {{- if or .Values.secrets.common.mailConfigAuthUser (and $existing (hasKey $existing.data "COUNTLY_CONFIG__MAIL_CONFIG_AUTH_USER")) }} + COUNTLY_CONFIG__MAIL_CONFIG_AUTH_USER: {{ include "countly.secret.value" (dict "secretName" $secretName "key" "COUNTLY_CONFIG__MAIL_CONFIG_AUTH_USER" "value" .Values.secrets.common.mailConfigAuthUser "namespace" .Release.Namespace) }} + {{- end }} + {{- if or .Values.secrets.common.mailConfigAuthPass (and $existing (hasKey $existing.data "COUNTLY_CONFIG__MAIL_CONFIG_AUTH_PASS")) }} + COUNTLY_CONFIG__MAIL_CONFIG_AUTH_PASS: {{ include "countly.secret.value" (dict "secretName" $secretName "key" "COUNTLY_CONFIG__MAIL_CONFIG_AUTH_PASS" "value" .Values.secrets.common.mailConfigAuthPass "namespace" .Release.Namespace) }} + {{- end }} {{- end }} diff --git a/charts/countly/values.schema.json b/charts/countly/values.schema.json index 35af06f..a959976 100644 --- a/charts/countly/values.schema.json +++ b/charts/countly/values.schema.json @@ -164,6 +164,12 @@ }, "passwordSecret": { "type": "string" + }, + "mailConfigAuthUser": { + "type": "string" + }, + "mailConfigAuthPass": { + "type": "string" } } }, diff --git a/charts/countly/values.yaml b/charts/countly/values.yaml index 57fb282..f28ad11 100644 --- a/charts/countly/values.yaml +++ b/charts/countly/values.yaml @@ -308,6 +308,10 @@ config: NODE_ENV: production # -- Comma-separated list of enabled Countly plugins COUNTLY_PLUGINS: "mobile,web,desktop,plugins,density,locale,browser,sources,views,logger,systemlogs,populator,reports,crashes,push,star-rating,slipping-away-users,compare,server-stats,dbviewer,crash_symbolication,crash-analytics,alerts,onboarding,consolidate,remote-config,hooks,dashboards,sdk,data-manager,guides,heatmaps,retention_segments,formulas,funnels,cohorts,ab-testing,performance-monitoring,config-transfer,data-migration,two-factor-auth,blocking,concurrent_users,revenue,activity-map,flows,surveys,event-timeline,drill,multi,active_users,ip-blocker,kafka,clickhouse" + # Optional SMTP non-secret settings. SMTP credentials belong in secrets.common.* + # COUNTLY_CONFIG__MAIL_CONFIG_PORT: "587" + # COUNTLY_CONFIG__MAIL_CONFIG_SERVICE: "Postmark" + # COUNTLY_CONFIG__MAIL_STRINGS_FROM: "Countly " COUNTLY_CONFIG__FILESTORAGE: gridfs COUNTLY_CONFIG__DRILL_EVENTS_DRIVER: clickhouse COUNTLY_CONFIG__SHARED_CONNECTION: "true" @@ -482,6 +486,10 @@ secrets: webSessionSecret: "" # -- Internal password hashing secret passwordSecret: "" + # -- Optional SMTP auth username + mailConfigAuthUser: "" + # -- Optional SMTP auth password + mailConfigAuthPass: "" # -- ClickHouse credential secrets clickhouse: @@ -520,6 +528,10 @@ secrets: encryptionReportsKey: "" webSessionSecret: "" passwordSecret: "" + # Shared defaults for Countly-hosted customers using GCP External Secrets. + # Override only when a customer needs dedicated SMTP credentials. + mailConfigAuthUser: "countly-ssl-smtp-user" + mailConfigAuthPass: "countly-ssl-smtp-pass" clickhouse: url: "" username: "" diff --git a/docs/SECRET-MANAGEMENT.md b/docs/SECRET-MANAGEMENT.md index 72cca14..b3c93a9 100644 --- a/docs/SECRET-MANAGEMENT.md +++ b/docs/SECRET-MANAGEMENT.md @@ -15,6 +15,8 @@ secrets: encryptionReportsKey: "my-key" webSessionSecret: "my-session" passwordSecret: "my-password" + mailConfigAuthUser: "smtp-user" + mailConfigAuthPass: "smtp-pass" clickhouse: password: "ch-password" mongodb: @@ -57,6 +59,9 @@ secrets: encryptionReportsKey: "acme-countly-encryption-reports-key" webSessionSecret: "acme-countly-web-session-secret" passwordSecret: "acme-countly-password-secret" + # Optional override. By default hosted deployments can use: + # mailConfigAuthUser: "countly-ssl-smtp-user" + # mailConfigAuthPass: "countly-ssl-smtp-pass" clickhouse: password: "acme-countly-clickhouse-password" mongodb: @@ -84,6 +89,8 @@ All secrets are required on first install. On upgrades, existing values are pres | countly | common | encryptionReportsKey | Report encryption (min 8 chars) | | countly | common | webSessionSecret | Session cookie signing (min 8 chars) | | countly | common | passwordSecret | Password hashing (min 8 chars) | +| countly | common | mailConfigAuthUser | Optional SMTP auth username | +| countly | common | mailConfigAuthPass | Optional SMTP auth password | | countly | clickhouse | password | ClickHouse default user auth | | countly | mongodb | password | MongoDB app user auth, reuse the same GSM key as `countly-mongodb.users.app.password` | | countly-mongodb | users.app | password | Must match countly secrets.mongodb.password | diff --git a/environments/reference/countly.yaml b/environments/reference/countly.yaml index c9c82e0..4f46370 100644 --- a/environments/reference/countly.yaml +++ b/environments/reference/countly.yaml @@ -283,7 +283,15 @@ config: # --- Common (shared by all components) --- common: NODE_ENV: production + # Plugin example for direct/public repo values: + # COUNTLY_PLUGINS: "mobile,web,desktop,plugins,density,locale,browser,sources,views,logger,systemlogs,populator,reports,crashes,push,star-rating,slipping-away-users,compare,server-stats,dbviewer,crash_symbolication,crash-analytics,alerts,onboarding,consolidate,remote-config,hooks,dashboards,sdk,data-manager,guides,heatmaps,retention_segments,formulas,funnels,cohorts,ab-testing,performance-monitoring,config-transfer,data-migration,two-factor-auth,blocking,concurrent_users,revenue,activity-map,flows,surveys,event-timeline,drill,multi,active_users,ip-blocker,kafka,clickhouse" + # Plugin example for Countly-hosted/private repo values: + # COUNTLY_PLUGINS: "adjust,journey_engine,content,mobile,web,desktop,plugins,density,locale,browser,sources,views,license,drill,funnels,retention_segments,flows,cohorts,surveys,remote-config,ab-testing,formulas,activity-map,concurrent_users,revenue,logger,systemlogs,populator,reports,crashes,push,geo,block,users,star-rating,slipping-away-users,compare,server-stats,dbviewer,crash_symbolication,crashes-jira,groups,white-labeling,alerts,times-of-day,compliance-hub,onboarding,active_users,performance-monitoring,config-transfer,consolidate,data-manager,hooks,dashboards,sdk" COUNTLY_PLUGINS: "mobile,web,desktop,plugins,density,locale,browser,sources,views,logger,systemlogs,populator,reports,crashes,push,star-rating,slipping-away-users,compare,server-stats,dbviewer,crash_symbolication,crash-analytics,alerts,onboarding,consolidate,remote-config,hooks,dashboards,sdk,data-manager,guides,heatmaps,retention_segments,formulas,funnels,cohorts,ab-testing,performance-monitoring,config-transfer,data-migration,two-factor-auth,blocking,concurrent_users,revenue,activity-map,flows,surveys,event-timeline,drill,multi,active_users,ip-blocker,kafka,clickhouse" + # Optional SMTP non-secret settings. Put auth user/pass in credentials-countly.yaml. + # COUNTLY_CONFIG__MAIL_CONFIG_PORT: "587" + # COUNTLY_CONFIG__MAIL_CONFIG_SERVICE: "Postmark" + # COUNTLY_CONFIG__MAIL_STRINGS_FROM: "Countly " COUNTLY_CONFIG__FILESTORAGE: gridfs COUNTLY_CONFIG__DRILL_EVENTS_DRIVER: clickhouse COUNTLY_CONFIG__SHARED_CONNECTION: "true" diff --git a/environments/reference/credentials-countly.yaml b/environments/reference/credentials-countly.yaml index 23c147e..37ced55 100644 --- a/environments/reference/credentials-countly.yaml +++ b/environments/reference/credentials-countly.yaml @@ -6,6 +6,8 @@ secrets: encryptionReportsKey: "" # REQUIRED: min 8 chars webSessionSecret: "" # REQUIRED: min 8 chars passwordSecret: "" # REQUIRED: min 8 chars + mailConfigAuthUser: "" # Optional: SMTP auth user + mailConfigAuthPass: "" # Optional: SMTP auth password clickhouse: username: "default" password: "" # REQUIRED: must match credentials-clickhouse.yaml @@ -28,6 +30,9 @@ secrets: # encryptionReportsKey: "acme-countly-encryption-reports-key" # webSessionSecret: "acme-countly-web-session-secret" # passwordSecret: "acme-countly-password-secret" +# # Shared hosted defaults. You can omit these if you use the chart defaults. +# mailConfigAuthUser: "countly-ssl-smtp-user" +# mailConfigAuthPass: "countly-ssl-smtp-pass" # clickhouse: # password: "acme-countly-clickhouse-password" # mongodb: diff --git a/environments/reference/external-secrets.example.yaml b/environments/reference/external-secrets.example.yaml index 092f526..e128533 100644 --- a/environments/reference/external-secrets.example.yaml +++ b/environments/reference/external-secrets.example.yaml @@ -17,6 +17,9 @@ # encryptionReportsKey: "acme-countly-encryption-reports-key" # webSessionSecret: "acme-countly-web-session-secret" # passwordSecret: "acme-countly-password-secret" +# # Shared hosted defaults. You can omit these if you use the chart defaults. +# mailConfigAuthUser: "countly-ssl-smtp-user" +# mailConfigAuthPass: "countly-ssl-smtp-pass" # clickhouse: # password: "acme-countly-clickhouse-password" # mongodb: From c3117a290889534a41ca85836a97ffb0b66c1231 Mon Sep 17 00:00:00 2001 From: ihaardik Date: Tue, 7 Apr 2026 16:46:28 +0530 Subject: [PATCH 2/3] Keep SMTP auth refs opt-in in Helm defaults --- charts/countly/values.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/charts/countly/values.yaml b/charts/countly/values.yaml index f28ad11..d4cc332 100644 --- a/charts/countly/values.yaml +++ b/charts/countly/values.yaml @@ -528,10 +528,12 @@ secrets: encryptionReportsKey: "" webSessionSecret: "" passwordSecret: "" - # Shared defaults for Countly-hosted customers using GCP External Secrets. - # Override only when a customer needs dedicated SMTP credentials. - mailConfigAuthUser: "countly-ssl-smtp-user" - mailConfigAuthPass: "countly-ssl-smtp-pass" + # Optional SMTP auth refs when using External Secrets. + # Example: + # mailConfigAuthUser: "countly-ssl-smtp-user" + # mailConfigAuthPass: "countly-ssl-smtp-pass" + mailConfigAuthUser: "" + mailConfigAuthPass: "" clickhouse: url: "" username: "" From 114eee5b3a8b3443cd4cb5ce6e120454c634965e Mon Sep 17 00:00:00 2001 From: ihaardik Date: Tue, 7 Apr 2026 16:54:22 +0530 Subject: [PATCH 3/3] Use generic SMTP examples in public docs --- charts/countly/values.yaml | 8 ++++---- docs/SECRET-MANAGEMENT.md | 6 +++--- environments/reference/countly.yaml | 4 ++-- environments/reference/credentials-countly.yaml | 6 +++--- environments/reference/external-secrets.example.yaml | 6 +++--- 5 files changed, 15 insertions(+), 15 deletions(-) diff --git a/charts/countly/values.yaml b/charts/countly/values.yaml index d4cc332..4646efa 100644 --- a/charts/countly/values.yaml +++ b/charts/countly/values.yaml @@ -310,8 +310,8 @@ config: COUNTLY_PLUGINS: "mobile,web,desktop,plugins,density,locale,browser,sources,views,logger,systemlogs,populator,reports,crashes,push,star-rating,slipping-away-users,compare,server-stats,dbviewer,crash_symbolication,crash-analytics,alerts,onboarding,consolidate,remote-config,hooks,dashboards,sdk,data-manager,guides,heatmaps,retention_segments,formulas,funnels,cohorts,ab-testing,performance-monitoring,config-transfer,data-migration,two-factor-auth,blocking,concurrent_users,revenue,activity-map,flows,surveys,event-timeline,drill,multi,active_users,ip-blocker,kafka,clickhouse" # Optional SMTP non-secret settings. SMTP credentials belong in secrets.common.* # COUNTLY_CONFIG__MAIL_CONFIG_PORT: "587" - # COUNTLY_CONFIG__MAIL_CONFIG_SERVICE: "Postmark" - # COUNTLY_CONFIG__MAIL_STRINGS_FROM: "Countly " + # COUNTLY_CONFIG__MAIL_CONFIG_SERVICE: "MySmtpProvider" + # COUNTLY_CONFIG__MAIL_STRINGS_FROM: "Countly " COUNTLY_CONFIG__FILESTORAGE: gridfs COUNTLY_CONFIG__DRILL_EVENTS_DRIVER: clickhouse COUNTLY_CONFIG__SHARED_CONNECTION: "true" @@ -530,8 +530,8 @@ secrets: passwordSecret: "" # Optional SMTP auth refs when using External Secrets. # Example: - # mailConfigAuthUser: "countly-ssl-smtp-user" - # mailConfigAuthPass: "countly-ssl-smtp-pass" + # mailConfigAuthUser: "my-smtp-auth-user-secret" + # mailConfigAuthPass: "my-smtp-auth-pass-secret" mailConfigAuthUser: "" mailConfigAuthPass: "" clickhouse: diff --git a/docs/SECRET-MANAGEMENT.md b/docs/SECRET-MANAGEMENT.md index b3c93a9..dccb264 100644 --- a/docs/SECRET-MANAGEMENT.md +++ b/docs/SECRET-MANAGEMENT.md @@ -59,9 +59,9 @@ secrets: encryptionReportsKey: "acme-countly-encryption-reports-key" webSessionSecret: "acme-countly-web-session-secret" passwordSecret: "acme-countly-password-secret" - # Optional override. By default hosted deployments can use: - # mailConfigAuthUser: "countly-ssl-smtp-user" - # mailConfigAuthPass: "countly-ssl-smtp-pass" + # Optional SMTP auth refs: + # mailConfigAuthUser: "my-smtp-auth-user-secret" + # mailConfigAuthPass: "my-smtp-auth-pass-secret" clickhouse: password: "acme-countly-clickhouse-password" mongodb: diff --git a/environments/reference/countly.yaml b/environments/reference/countly.yaml index 4f46370..72a62b9 100644 --- a/environments/reference/countly.yaml +++ b/environments/reference/countly.yaml @@ -290,8 +290,8 @@ config: COUNTLY_PLUGINS: "mobile,web,desktop,plugins,density,locale,browser,sources,views,logger,systemlogs,populator,reports,crashes,push,star-rating,slipping-away-users,compare,server-stats,dbviewer,crash_symbolication,crash-analytics,alerts,onboarding,consolidate,remote-config,hooks,dashboards,sdk,data-manager,guides,heatmaps,retention_segments,formulas,funnels,cohorts,ab-testing,performance-monitoring,config-transfer,data-migration,two-factor-auth,blocking,concurrent_users,revenue,activity-map,flows,surveys,event-timeline,drill,multi,active_users,ip-blocker,kafka,clickhouse" # Optional SMTP non-secret settings. Put auth user/pass in credentials-countly.yaml. # COUNTLY_CONFIG__MAIL_CONFIG_PORT: "587" - # COUNTLY_CONFIG__MAIL_CONFIG_SERVICE: "Postmark" - # COUNTLY_CONFIG__MAIL_STRINGS_FROM: "Countly " + # COUNTLY_CONFIG__MAIL_CONFIG_SERVICE: "MySmtpProvider" + # COUNTLY_CONFIG__MAIL_STRINGS_FROM: "Countly " COUNTLY_CONFIG__FILESTORAGE: gridfs COUNTLY_CONFIG__DRILL_EVENTS_DRIVER: clickhouse COUNTLY_CONFIG__SHARED_CONNECTION: "true" diff --git a/environments/reference/credentials-countly.yaml b/environments/reference/credentials-countly.yaml index 37ced55..cf3d718 100644 --- a/environments/reference/credentials-countly.yaml +++ b/environments/reference/credentials-countly.yaml @@ -30,9 +30,9 @@ secrets: # encryptionReportsKey: "acme-countly-encryption-reports-key" # webSessionSecret: "acme-countly-web-session-secret" # passwordSecret: "acme-countly-password-secret" -# # Shared hosted defaults. You can omit these if you use the chart defaults. -# mailConfigAuthUser: "countly-ssl-smtp-user" -# mailConfigAuthPass: "countly-ssl-smtp-pass" +# # Example SMTP auth refs: +# mailConfigAuthUser: "my-smtp-auth-user-secret" +# mailConfigAuthPass: "my-smtp-auth-pass-secret" # clickhouse: # password: "acme-countly-clickhouse-password" # mongodb: diff --git a/environments/reference/external-secrets.example.yaml b/environments/reference/external-secrets.example.yaml index e128533..6ff8dc5 100644 --- a/environments/reference/external-secrets.example.yaml +++ b/environments/reference/external-secrets.example.yaml @@ -17,9 +17,9 @@ # encryptionReportsKey: "acme-countly-encryption-reports-key" # webSessionSecret: "acme-countly-web-session-secret" # passwordSecret: "acme-countly-password-secret" -# # Shared hosted defaults. You can omit these if you use the chart defaults. -# mailConfigAuthUser: "countly-ssl-smtp-user" -# mailConfigAuthPass: "countly-ssl-smtp-pass" +# # Example SMTP auth refs: +# mailConfigAuthUser: "my-smtp-auth-user-secret" +# mailConfigAuthPass: "my-smtp-auth-pass-secret" # clickhouse: # password: "acme-countly-clickhouse-password" # mongodb: