Smtp and default config

charts/countly/templates/external-secret-common.yaml

@@ -1,7 +1,7 @@
 {{- if eq (.Values.secrets.mode | default "values") "externalSecret" }}
 {{- if not .Values.secrets.common.existingSecret }}
 {{- $commonRemote := .Values.secrets.externalSecret.remoteRefs.common | default dict -}}
-{{- $commonUsesExternal := or $commonRemote.encryptionReportsKey $commonRemote.webSessionSecret $commonRemote.passwordSecret -}}
+{{- $commonUsesExternal := or $commonRemote.encryptionReportsKey $commonRemote.webSessionSecret $commonRemote.passwordSecret $commonRemote.mailConfigAuthUser $commonRemote.mailConfigAuthPass -}}
 {{- if $commonUsesExternal }}
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@@ -21,7 +21,7 @@ spec:
   target:
     name: {{ include "countly.fullname" . }}-common
     creationPolicy: Owner
-    {{- $hasCommonTemplateData := not (and $commonRemote.encryptionReportsKey $commonRemote.webSessionSecret $commonRemote.passwordSecret) }}
+    {{- $hasCommonTemplateData := or (not $commonRemote.encryptionReportsKey) (not $commonRemote.webSessionSecret) (not $commonRemote.passwordSecret) (and .Values.secrets.common.mailConfigAuthUser (not $commonRemote.mailConfigAuthUser)) (and .Values.secrets.common.mailConfigAuthPass (not $commonRemote.mailConfigAuthPass)) }}
     {{- if $hasCommonTemplateData }}
     template:
       engineVersion: v2
@@ -36,6 +36,12 @@ spec:
         {{- if not .Values.secrets.externalSecret.remoteRefs.common.passwordSecret }}
         COUNTLY_CONFIG__PASSWORDSECRET: {{ .Values.secrets.common.passwordSecret | quote }}
         {{- end }}
+        {{- if and .Values.secrets.common.mailConfigAuthUser (not .Values.secrets.externalSecret.remoteRefs.common.mailConfigAuthUser) }}
+        COUNTLY_CONFIG__MAIL_CONFIG_AUTH_USER: {{ .Values.secrets.common.mailConfigAuthUser | quote }}
+        {{- end }}
+        {{- if and .Values.secrets.common.mailConfigAuthPass (not .Values.secrets.externalSecret.remoteRefs.common.mailConfigAuthPass) }}
+        COUNTLY_CONFIG__MAIL_CONFIG_AUTH_PASS: {{ .Values.secrets.common.mailConfigAuthPass | quote }}
+        {{- end }}
     {{- end }}
   data:
     {{- if .Values.secrets.externalSecret.remoteRefs.common.encryptionReportsKey }}
@@ -53,6 +59,16 @@ spec:
       remoteRef:
         key: {{ required "secrets.externalSecret.remoteRefs.common.passwordSecret is required" .Values.secrets.externalSecret.remoteRefs.common.passwordSecret }}
     {{- end }}
+    {{- if .Values.secrets.externalSecret.remoteRefs.common.mailConfigAuthUser }}
+    - secretKey: COUNTLY_CONFIG__MAIL_CONFIG_AUTH_USER
+      remoteRef:
+        key: {{ .Values.secrets.externalSecret.remoteRefs.common.mailConfigAuthUser }}
+    {{- end }}
+    {{- if .Values.secrets.externalSecret.remoteRefs.common.mailConfigAuthPass }}
+    - secretKey: COUNTLY_CONFIG__MAIL_CONFIG_AUTH_PASS
+      remoteRef:
+        key: {{ .Values.secrets.externalSecret.remoteRefs.common.mailConfigAuthPass }}
+    {{- end }}
 {{- end }}
 {{- end }}
 {{- end }}

charts/countly/templates/secret-common.yaml

@@ -22,4 +22,10 @@ data:
   COUNTLY_CONFIG__ENCRYPTION_REPORTS_KEY: {{ include "countly.secret.value" (dict "secretName" $secretName "key" "COUNTLY_CONFIG__ENCRYPTION_REPORTS_KEY" "value" .Values.secrets.common.encryptionReportsKey "namespace" .Release.Namespace) }}
   COUNTLY_CONFIG__WEB_SESSION_SECRET: {{ include "countly.secret.value" (dict "secretName" $secretName "key" "COUNTLY_CONFIG__WEB_SESSION_SECRET" "value" .Values.secrets.common.webSessionSecret "namespace" .Release.Namespace) }}
   COUNTLY_CONFIG__PASSWORDSECRET: {{ include "countly.secret.value" (dict "secretName" $secretName "key" "COUNTLY_CONFIG__PASSWORDSECRET" "value" .Values.secrets.common.passwordSecret "namespace" .Release.Namespace) }}
+  {{- if or .Values.secrets.common.mailConfigAuthUser (and $existing (hasKey $existing.data "COUNTLY_CONFIG__MAIL_CONFIG_AUTH_USER")) }}
+  COUNTLY_CONFIG__MAIL_CONFIG_AUTH_USER: {{ include "countly.secret.value" (dict "secretName" $secretName "key" "COUNTLY_CONFIG__MAIL_CONFIG_AUTH_USER" "value" .Values.secrets.common.mailConfigAuthUser "namespace" .Release.Namespace) }}
+  {{- end }}
+  {{- if or .Values.secrets.common.mailConfigAuthPass (and $existing (hasKey $existing.data "COUNTLY_CONFIG__MAIL_CONFIG_AUTH_PASS")) }}
+  COUNTLY_CONFIG__MAIL_CONFIG_AUTH_PASS: {{ include "countly.secret.value" (dict "secretName" $secretName "key" "COUNTLY_CONFIG__MAIL_CONFIG_AUTH_PASS" "value" .Values.secrets.common.mailConfigAuthPass "namespace" .Release.Namespace) }}
+  {{- end }}
 {{- end }}

charts/countly/values.schema.json

@@ -164,6 +164,12 @@
             },
             "passwordSecret": {
               "type": "string"
+            },
+            "mailConfigAuthUser": {
+              "type": "string"
+            },
+            "mailConfigAuthPass": {
+              "type": "string"
             }
           }
         },

charts/countly/values.yaml

@@ -308,6 +308,10 @@ config:
     NODE_ENV: production
     # -- Comma-separated list of enabled Countly plugins
     COUNTLY_PLUGINS: "mobile,web,desktop,plugins,density,locale,browser,sources,views,logger,systemlogs,populator,reports,crashes,push,star-rating,slipping-away-users,compare,server-stats,dbviewer,crash_symbolication,crash-analytics,alerts,onboarding,consolidate,remote-config,hooks,dashboards,sdk,data-manager,guides,heatmaps,retention_segments,formulas,funnels,cohorts,ab-testing,performance-monitoring,config-transfer,data-migration,two-factor-auth,blocking,concurrent_users,revenue,activity-map,flows,surveys,event-timeline,drill,multi,active_users,ip-blocker,kafka,clickhouse"
+    # Optional SMTP non-secret settings. SMTP credentials belong in secrets.common.*
+    # COUNTLY_CONFIG__MAIL_CONFIG_PORT: "587"
+    # COUNTLY_CONFIG__MAIL_CONFIG_SERVICE: "MySmtpProvider"
+    # COUNTLY_CONFIG__MAIL_STRINGS_FROM: "Countly <no-reply@example.com>"
     COUNTLY_CONFIG__FILESTORAGE: gridfs
     COUNTLY_CONFIG__DRILL_EVENTS_DRIVER: clickhouse
     COUNTLY_CONFIG__SHARED_CONNECTION: "true"
@@ -482,6 +486,10 @@ secrets:
     webSessionSecret: ""
     # -- Internal password hashing secret
     passwordSecret: ""
+    # -- Optional SMTP auth username
+    mailConfigAuthUser: ""
+    # -- Optional SMTP auth password
+    mailConfigAuthPass: ""
 
   # -- ClickHouse credential secrets
   clickhouse:
@@ -520,6 +528,12 @@ secrets:
         encryptionReportsKey: ""
         webSessionSecret: ""
         passwordSecret: ""
+        # Optional SMTP auth refs when using External Secrets.
+        # Example:
+        # mailConfigAuthUser: "my-smtp-auth-user-secret"
+        # mailConfigAuthPass: "my-smtp-auth-pass-secret"
+        mailConfigAuthUser: ""
+        mailConfigAuthPass: ""
       clickhouse:
         url: ""
         username: ""

docs/SECRET-MANAGEMENT.md

@@ -15,6 +15,8 @@ secrets:
     encryptionReportsKey: "my-key"
     webSessionSecret: "my-session"
     passwordSecret: "my-password"
+    mailConfigAuthUser: "smtp-user"
+    mailConfigAuthPass: "smtp-pass"
   clickhouse:
     password: "ch-password"
   mongodb:
@@ -57,6 +59,9 @@ secrets:
         encryptionReportsKey: "acme-countly-encryption-reports-key"
         webSessionSecret: "acme-countly-web-session-secret"
         passwordSecret: "acme-countly-password-secret"
+        # Optional SMTP auth refs:
+        # mailConfigAuthUser: "my-smtp-auth-user-secret"
+        # mailConfigAuthPass: "my-smtp-auth-pass-secret"
       clickhouse:
         password: "acme-countly-clickhouse-password"
       mongodb:
@@ -84,6 +89,8 @@ All secrets are required on first install. On upgrades, existing values are pres
 | countly | common | encryptionReportsKey | Report encryption (min 8 chars) |
 | countly | common | webSessionSecret | Session cookie signing (min 8 chars) |
 | countly | common | passwordSecret | Password hashing (min 8 chars) |
+| countly | common | mailConfigAuthUser | Optional SMTP auth username |
+| countly | common | mailConfigAuthPass | Optional SMTP auth password |
 | countly | clickhouse | password | ClickHouse default user auth |
 | countly | mongodb | password | MongoDB app user auth, reuse the same GSM key as `countly-mongodb.users.app.password` |
 | countly-mongodb | users.app | password | Must match countly secrets.mongodb.password |

environments/reference/countly.yaml

@@ -283,7 +283,15 @@ config:
   # --- Common (shared by all components) ---
   common:
     NODE_ENV: production
+    # Plugin example for direct/public repo values:
+    # COUNTLY_PLUGINS: "mobile,web,desktop,plugins,density,locale,browser,sources,views,logger,systemlogs,populator,reports,crashes,push,star-rating,slipping-away-users,compare,server-stats,dbviewer,crash_symbolication,crash-analytics,alerts,onboarding,consolidate,remote-config,hooks,dashboards,sdk,data-manager,guides,heatmaps,retention_segments,formulas,funnels,cohorts,ab-testing,performance-monitoring,config-transfer,data-migration,two-factor-auth,blocking,concurrent_users,revenue,activity-map,flows,surveys,event-timeline,drill,multi,active_users,ip-blocker,kafka,clickhouse"
+    # Plugin example for Countly-hosted/private repo values:
+    # COUNTLY_PLUGINS: "adjust,journey_engine,content,mobile,web,desktop,plugins,density,locale,browser,sources,views,license,drill,funnels,retention_segments,flows,cohorts,surveys,remote-config,ab-testing,formulas,activity-map,concurrent_users,revenue,logger,systemlogs,populator,reports,crashes,push,geo,block,users,star-rating,slipping-away-users,compare,server-stats,dbviewer,crash_symbolication,crashes-jira,groups,white-labeling,alerts,times-of-day,compliance-hub,onboarding,active_users,performance-monitoring,config-transfer,consolidate,data-manager,hooks,dashboards,sdk"
     COUNTLY_PLUGINS: "mobile,web,desktop,plugins,density,locale,browser,sources,views,logger,systemlogs,populator,reports,crashes,push,star-rating,slipping-away-users,compare,server-stats,dbviewer,crash_symbolication,crash-analytics,alerts,onboarding,consolidate,remote-config,hooks,dashboards,sdk,data-manager,guides,heatmaps,retention_segments,formulas,funnels,cohorts,ab-testing,performance-monitoring,config-transfer,data-migration,two-factor-auth,blocking,concurrent_users,revenue,activity-map,flows,surveys,event-timeline,drill,multi,active_users,ip-blocker,kafka,clickhouse"
+    # Optional SMTP non-secret settings. Put auth user/pass in credentials-countly.yaml.
+    # COUNTLY_CONFIG__MAIL_CONFIG_PORT: "587"
+    # COUNTLY_CONFIG__MAIL_CONFIG_SERVICE: "MySmtpProvider"
+    # COUNTLY_CONFIG__MAIL_STRINGS_FROM: "Countly <no-reply@example.com>"
     COUNTLY_CONFIG__FILESTORAGE: gridfs
     COUNTLY_CONFIG__DRILL_EVENTS_DRIVER: clickhouse
     COUNTLY_CONFIG__SHARED_CONNECTION: "true"

environments/reference/credentials-countly.yaml

@@ -6,6 +6,8 @@ secrets:
     encryptionReportsKey: ""     # REQUIRED: min 8 chars
     webSessionSecret: ""         # REQUIRED: min 8 chars
     passwordSecret: ""           # REQUIRED: min 8 chars
+    mailConfigAuthUser: ""       # Optional: SMTP auth user
+    mailConfigAuthPass: ""       # Optional: SMTP auth password
   clickhouse:
     username: "default"
     password: ""                 # REQUIRED: must match credentials-clickhouse.yaml
@@ -28,6 +30,9 @@ secrets:
 #         encryptionReportsKey: "acme-countly-encryption-reports-key"
 #         webSessionSecret: "acme-countly-web-session-secret"
 #         passwordSecret: "acme-countly-password-secret"
+#         # Example SMTP auth refs:
+#         mailConfigAuthUser: "my-smtp-auth-user-secret"
+#         mailConfigAuthPass: "my-smtp-auth-pass-secret"
 #       clickhouse:
 #         password: "acme-countly-clickhouse-password"
 #       mongodb:

environments/reference/external-secrets.example.yaml

@@ -17,6 +17,9 @@
 #           encryptionReportsKey: "acme-countly-encryption-reports-key"
 #           webSessionSecret: "acme-countly-web-session-secret"
 #           passwordSecret: "acme-countly-password-secret"
+#           # Example SMTP auth refs:
+#           mailConfigAuthUser: "my-smtp-auth-user-secret"
+#           mailConfigAuthPass: "my-smtp-auth-pass-secret"
 #         clickhouse:
 #           password: "acme-countly-clickhouse-password"
 #         mongodb: