improvement(helm): added additional envvars to helm charts (#1695)

* improvement(helm): added additional envvars to helm charts

* updated docs

Author: waleedlatif1

helm/sim/README.md

@@ -629,18 +629,30 @@ helm uninstall sim
 
 For production deployments, make sure to:
 
-1. **Change default secrets**: Update `BETTER_AUTH_SECRET` and `ENCRYPTION_KEY` with secure, randomly generated values
+1. **Change default secrets**: Update `BETTER_AUTH_SECRET`, `ENCRYPTION_KEY`, and `INTERNAL_API_SECRET` with secure, randomly generated values using `openssl rand -hex 32`
 2. **Use strong database passwords**: Set `postgresql.auth.password` to a strong password
 3. **Enable TLS**: Configure `postgresql.tls.enabled=true` and provide proper certificates
 4. **Configure ingress TLS**: Enable HTTPS with proper SSL certificates
 
+**Required Secrets:**
+- `BETTER_AUTH_SECRET`: Authentication JWT signing (minimum 32 characters)
+- `ENCRYPTION_KEY`: Encrypts sensitive data like environment variables (minimum 32 characters)
+- `INTERNAL_API_SECRET`: Internal service-to-service authentication (minimum 32 characters)
+
+**Optional Security (Recommended for Production):**
+- `CRON_SECRET`: Authenticates scheduled job requests to API endpoints (required only if `cronjobs.enabled=true`)
+- `API_ENCRYPTION_KEY`: Encrypts API keys at rest in database (must be exactly 64 hex characters). If not set, API keys are stored in plain text. Generate using: `openssl rand -hex 32` (outputs 64 hex chars representing 32 bytes)
+
 ### Example secure values:
 
 ```yaml
 app:
   env:
     BETTER_AUTH_SECRET: "your-secure-random-string-here"
     ENCRYPTION_KEY: "your-secure-encryption-key-here"
+    INTERNAL_API_SECRET: "your-secure-internal-api-secret-here"
+    CRON_SECRET: "your-secure-cron-secret-here"
+    API_ENCRYPTION_KEY: "your-64-char-hex-string-for-api-key-encryption"  # Optional but recommended
 
 postgresql:
   auth:

helm/sim/examples/values-aws.yaml

@@ -32,8 +32,15 @@ app:
     NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com"
 
     # Security settings (REQUIRED - replace with your own secure secrets)
+    # Generate using: openssl rand -hex 32
     BETTER_AUTH_SECRET: "your-secure-production-auth-secret-here"
     ENCRYPTION_KEY: "your-secure-production-encryption-key-here"
+    INTERNAL_API_SECRET: "your-secure-production-internal-api-secret-here"
+    CRON_SECRET: "your-secure-production-cron-secret-here"
+
+    # Optional: API Key Encryption (RECOMMENDED for production)
+    # Generate 64-character hex string using: openssl rand -hex 32
+    API_ENCRYPTION_KEY: "your-64-char-hex-api-encryption-key-here"  # Optional but recommended
 
     NODE_ENV: "production"
     NEXT_TELEMETRY_DISABLED: "1"

helm/sim/examples/values-azure.yaml

@@ -30,8 +30,15 @@ app:
     NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com"
 
     # Security settings (REQUIRED - replace with your own secure secrets)
+    # Generate using: openssl rand -hex 32
     BETTER_AUTH_SECRET: "your-secure-production-auth-secret-here"
     ENCRYPTION_KEY: "your-secure-production-encryption-key-here"
+    INTERNAL_API_SECRET: "your-secure-production-internal-api-secret-here"
+    CRON_SECRET: "your-secure-production-cron-secret-here"
+
+    # Optional: API Key Encryption (RECOMMENDED for production)
+    # Generate 64-character hex string using: openssl rand -hex 32
+    API_ENCRYPTION_KEY: "your-64-char-hex-api-encryption-key-here"  # Optional but recommended
 
     NODE_ENV: "production"
     NEXT_TELEMETRY_DISABLED: "1"

helm/sim/examples/values-development.yaml

@@ -26,8 +26,15 @@ app:
     NEXT_PUBLIC_SOCKET_URL: "http://localhost:3002"
 
     # Example secrets for development (replace with secure values for production)
+    # For production, generate using: openssl rand -hex 32
     BETTER_AUTH_SECRET: "dev-32-char-auth-secret-not-secure-dev"
     ENCRYPTION_KEY: "dev-32-char-encryption-key-not-secure"
+    INTERNAL_API_SECRET: "dev-32-char-internal-secret-not-secure"
+    CRON_SECRET: "dev-32-char-cron-secret-not-for-prod"
+
+    # Optional: API Key Encryption (leave empty for dev, encrypts API keys at rest)
+    # For production, generate 64-char hex using: openssl rand -hex 32
+    API_ENCRYPTION_KEY: ""  # Optional - if not set, API keys stored in plain text
 
 # Realtime service
 realtime:

helm/sim/examples/values-external-db.yaml

@@ -26,8 +26,15 @@ app:
     NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com"
 
     # Security settings (REQUIRED - replace with your own secure secrets)
+    # Generate using: openssl rand -hex 32
     BETTER_AUTH_SECRET: ""  # Set via --set flag or external secret manager
     ENCRYPTION_KEY: ""      # Set via --set flag or external secret manager
+    INTERNAL_API_SECRET: "" # Set via --set flag or external secret manager
+    CRON_SECRET: ""         # Set via --set flag or external secret manager
+
+    # Optional: API Key Encryption (RECOMMENDED for production)
+    # Generate 64-character hex string using: openssl rand -hex 32
+    API_ENCRYPTION_KEY: ""  # Optional but recommended - encrypts API keys at rest
 
     NODE_ENV: "production"
     NEXT_TELEMETRY_DISABLED: "1"
@@ -150,4 +157,7 @@ networkPolicy:
 #   --set externalDatabase.database="your-db-name" \
 #   --set app.env.BETTER_AUTH_SECRET="$(openssl rand -hex 32)" \
 #   --set app.env.ENCRYPTION_KEY="$(openssl rand -hex 32)" \
+#   --set app.env.INTERNAL_API_SECRET="$(openssl rand -hex 32)" \
+#   --set app.env.CRON_SECRET="$(openssl rand -hex 32)" \
+#   --set app.env.API_ENCRYPTION_KEY="$(openssl rand -hex 32)" \
 #   --set realtime.env.BETTER_AUTH_SECRET="$(openssl rand -hex 32)"

helm/sim/examples/values-gcp.yaml

@@ -32,8 +32,15 @@ app:
     NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com"
 
     # Security settings (REQUIRED - replace with your own secure secrets)
+    # Generate using: openssl rand -hex 32
     BETTER_AUTH_SECRET: "your-secure-production-auth-secret-here"
     ENCRYPTION_KEY: "your-secure-production-encryption-key-here"
+    INTERNAL_API_SECRET: "your-secure-production-internal-api-secret-here"
+    CRON_SECRET: "your-secure-production-cron-secret-here"
+
+    # Optional: API Key Encryption (RECOMMENDED for production)
+    # Generate 64-character hex string using: openssl rand -hex 32
+    API_ENCRYPTION_KEY: "your-64-char-hex-api-encryption-key-here"  # Optional but recommended
 
     NODE_ENV: "production"
     NEXT_TELEMETRY_DISABLED: "1"

helm/sim/examples/values-production.yaml

@@ -27,8 +27,15 @@ app:
     NEXT_PUBLIC_SOCKET_URL: "https://sim-ws.acme.ai"
 
     # Security settings (REQUIRED - replace with your own secure secrets)
+    # Generate using: openssl rand -hex 32
     BETTER_AUTH_SECRET: "your-production-auth-secret-here"
     ENCRYPTION_KEY: "your-production-encryption-key-here"
+    INTERNAL_API_SECRET: "your-production-internal-api-secret-here"
+    CRON_SECRET: "your-production-cron-secret-here"
+
+    # Optional: API Key Encryption (RECOMMENDED for production)
+    # Generate 64-character hex string using: openssl rand -hex 32
+    API_ENCRYPTION_KEY: "your-64-char-hex-api-encryption-key-here"  # Optional but recommended
 
     # Email verification (set to true if you want to require email verification)
     EMAIL_VERIFICATION_ENABLED: "false"

helm/sim/examples/values-whitelabeled.yaml

@@ -20,8 +20,15 @@ app:
     NEXT_PUBLIC_SOCKET_URL: "https://sim-ws.acme.ai"
 
     # Security settings (REQUIRED)
+    # Generate using: openssl rand -hex 32
     BETTER_AUTH_SECRET: "your-production-auth-secret-here"
     ENCRYPTION_KEY: "your-production-encryption-key-here"
+    INTERNAL_API_SECRET: "your-production-internal-api-secret-here"
+    CRON_SECRET: "your-production-cron-secret-here"
+
+    # Optional: API Key Encryption (RECOMMENDED for production)
+    # Generate 64-character hex string using: openssl rand -hex 32
+    API_ENCRYPTION_KEY: "your-64-char-hex-api-encryption-key-here"  # Optional but recommended
 
     # UI Branding & Whitelabeling Configuration
     NEXT_PUBLIC_BRAND_NAME: "Acme AI Studio"

helm/sim/values.yaml

@@ -63,6 +63,15 @@ app:
     # Generate secure 32-character secrets using: openssl rand -hex 32
     BETTER_AUTH_SECRET: ""  # REQUIRED - set via --set flag or external secret manager
     ENCRYPTION_KEY: ""      # REQUIRED - set via --set flag or external secret manager
+    INTERNAL_API_SECRET: "" # REQUIRED - set via --set flag or external secret manager, used for internal service-to-service authentication
+
+    # Optional: Scheduled Jobs Authentication
+    # Generate using: openssl rand -hex 32
+    CRON_SECRET: ""         # OPTIONAL - required only if cronjobs.enabled=true, authenticates scheduled job requests
+
+    # Optional: API Key Encryption (RECOMMENDED for production)
+    # Generate 64-character hex string using: openssl rand -hex 32 (outputs 64 hex chars = 32 bytes)
+    API_ENCRYPTION_KEY: ""  # OPTIONAL - encrypts API keys at rest, must be exactly 64 hex characters, if not set keys stored in plain text
 
     # Email & Communication
     EMAIL_VERIFICATION_ENABLED: "false"                   # Enable email verification for user registration and login (defaults to false)