Update Helm chart with comprehensive installation instructions

- Add local and OCI image deployment sections to chart README
- Configure Auth0 authentication via v1-sync-helper-auth0-credentials secret
- Add all missing environment variables from service README
- Simplify environment variables documentation to show only defaults
- Reference main service README for complete variable list
- Use heredoc for values.yaml creation in OCI installation

🤖 Generated with [GitHub Copilot](https://github.com/features/copilot) (via Zed)

Signed-off-by: Eric Searcy <[email protected]>

Author: emsearcy

charts/lfx-v1-sync-helper/README.md

@@ -11,17 +11,59 @@ This Helm chart deploys the LFX v1 Sync Helper service, which monitors NATS KV s
 
 ## Installing the chart
 
-### Installing from source
+### Installing from local chart
 
-Clone the repository before running the following commands from the root of the working directory.
+For development or testing with local chart sources:
 
 ```bash
+# Clone the repository
+git clone https://github.com/linuxfoundation/lfx-v1-sync-helper.git
+cd lfx-v1-sync-helper
+
 # Create namespace (recommended)
 kubectl create namespace lfx
 
-# Install the chart
+# Create Auth0 secret with required credentials
+kubectl create secret generic v1-sync-helper-auth0-credentials \
+    --from-literal=client-id=your-auth0-client-id \
+    --from-literal=private-key="$(cat auth0-private-key.pem)" \
+    -n lfx
+
+# Install the chart with required image tag and AUTH0_TENANT
 helm install -n lfx lfx-v1-sync-helper \
-    ./charts/lfx-v1-sync-helper
+    ./charts/lfx-v1-sync-helper \
+    --set image.tag=latest \
+    --set app.environment.AUTH0_TENANT.value=my_tenant
+```
+
+**Note**: When using the local chart, you must specify `--set image.tag=latest` because the committed chart does not have an appVersion, so a version must always be specified when not using the published chart. The AUTH0_TENANT environment variable and Auth0 secret are also required.
+
+### Installing from OCI registry
+
+For production deployments using the published chart:
+
+```bash
+# Create namespace (recommended)
+kubectl create namespace lfx
+
+# Create Auth0 secret with required credentials
+kubectl create secret generic v1-sync-helper-auth0-credentials \
+    --from-literal=client-id=your-auth0-client-id \
+    --from-literal=private-key="$(cat auth0-private-key.pem)" \
+    -n lfx
+
+# Create values.yaml with required AUTH0_TENANT
+cat > values.yaml << EOF
+app:
+  environment:
+    AUTH0_TENANT:
+      value: my_tenant
+EOF
+
+# Install from the OCI registry
+helm install -n lfx lfx-v1-sync-helper \
+    oci://ghcr.io/linuxfoundation/lfx-v1-sync-helper/chart \
+    -f values.yaml
 ```
 
 ## Uninstalling the chart
@@ -34,5 +76,44 @@ helm uninstall lfx-v1-sync-helper -n lfx
 
 ## Configuration
 
+### Required Secrets
+
+The chart requires the following secrets to be created before installation:
+
+1. **Heimdall JWT signing key** (default name: `heimdall-signer-cert`):
+   ```bash
+   kubectl create secret generic heimdall-signer-cert \
+       --from-file=signer.pem=/path/to/heimdall-private-key.pem \
+       -n lfx
+   ```
+
+2. **Auth0 credentials** (default name: `v1-sync-helper-auth0-credentials`):
+   ```bash
+   kubectl create secret generic v1-sync-helper-auth0-credentials \
+       --from-literal=client-id=your-auth0-client-id \
+       --from-literal=private-key="$(cat auth0-private-key.pem)" \
+       -n lfx
+   ```
+
+### Environment Variables
+
+The following environment variables have defaults configured in the chart's `app.environment` section:
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `NATS_URL` | `nats://lfx-platform-nats.lfx.svc.cluster.local:4222` | NATS server URL |
+| `PROJECT_SERVICE_URL` | `http://lfx-v2-project-service.lfx.svc.cluster.local:8080` | Project Service API URL |
+| `COMMITTEE_SERVICE_URL` | `http://lfx-v2-committee-service.lfx.svc.cluster.local:8080` | Committee Service API URL |
+| `HEIMDALL_JWKS_URL` | `http://lfx-platform-heimdall.lfx.svc.cluster.local:4457/.well-known/jwks` | JWKS endpoint URL |
+| `LFX_API_GW` | `https://api-gw.dev.platform.linuxfoundation.org/` | LFX API Gateway URL |
+| `LOG_LEVEL` | `info` | Log level |
+| `DEBUG` | `false` | Enable debug logging |
+| `PORT` | `8080` | HTTP server port |
+| `BIND` | `*` | Interface to bind on |
+
+For a complete list of all supported environment variables, including required ones like `AUTH0_TENANT`, see the [v1-sync-helper README](../../v1-sync-helper/README.md#environment-variables).
+
+### Additional Configuration
+
 For all available configuration options and their default values, please see the [values.yaml](values.yaml) file in this chart directory. You can override these values in your own `values.yaml` file or by using the `--set` flag when installing the chart.
 

charts/lfx-v1-sync-helper/templates/deployment.yaml

@@ -45,6 +45,17 @@ spec:
               secretKeyRef:
                 name: {{ .Values.heimdall.secret.name }}
                 key: {{ .Values.heimdall.secret.privateKeyKey }}
+          # Auth0 configuration for v1 API authentication
+          - name: AUTH0_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.auth0.secret.name }}
+                key: {{ .Values.auth0.secret.clientIdKey }}
+          - name: AUTH0_PRIVATE_KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.auth0.secret.name }}
+                key: {{ .Values.auth0.secret.privateKeyKey }}
           ports:
             - containerPort: 8080
               name: web

charts/lfx-v1-sync-helper/values.yaml

@@ -37,6 +37,18 @@ app:
     # COMMITTEE_SERVICE_URL is required for making API calls to committee service
     COMMITTEE_SERVICE_URL:
       value: http://lfx-v2-committee-service.lfx.svc.cluster.local:8080
+    # AUTH0_TENANT is required for Auth0 authentication
+    AUTH0_TENANT:
+      value: ""
+    # HEIMDALL_KEY_ID is optional - JWT key ID (if not provided, fetches from JWKS)
+    HEIMDALL_KEY_ID:
+      value: ""
+    # HEIMDALL_JWKS_URL is optional - JWKS endpoint URL
+    HEIMDALL_JWKS_URL:
+      value: http://lfx-platform-heimdall.lfx.svc.cluster.local:4457/.well-known/jwks
+    # LFX_API_GW is optional - LFX API Gateway URL
+    LFX_API_GW:
+      value: https://api-gw.dev.platform.linuxfoundation.org/
 
 # serviceAccount is the configuration for the Kubernetes service account
 serviceAccount:
@@ -135,3 +147,14 @@ heimdall:
     name: heimdall-signer-cert
     # key in the secret which contains the signing certificate
     privateKeyKey: signer.pem
+
+# auth0 is the configuration for Auth0 authentication for v1 API calls
+auth0:
+  # secret contains the configuration for Auth0 authentication
+  secret:
+    # name of the secret containing Auth0 client ID and private key
+    name: v1-sync-helper-auth0-credentials
+    # key in the secret which contains the Auth0 client ID
+    clientIdKey: client-id
+    # key in the secret which contains the Auth0 private key
+    privateKeyKey: private-key