kellnr · secana · Feb 12, 2026 · Jan 28, 2026
diff --git a/charts/kellnr/templates/config.yaml b/charts/kellnr/templates/config.yaml
@@ -55,3 +55,29 @@ data:
   KELLNR_S3__ALLOW_HTTP: {{ .Values.kellnr.s3.allowHttp | quote }}
   KELLNR_S3__CRATES_BUCKET: {{ .Values.kellnr.s3.crates_bucket | quote }}
   KELLNR_S3__CRATESIO_BUCKET: {{ .Values.kellnr.s3.cratesio_bucket | quote }}
+  # OAuth2/OpenID Connect
+  KELLNR_OAUTH2__ENABLED: {{ .Values.kellnr.oauth2.enabled | quote }}
+{{- if .Values.kellnr.oauth2.issuerUrl }}
+  KELLNR_OAUTH2__ISSUER_URL: {{ .Values.kellnr.oauth2.issuerUrl | quote }}
+{{- end }}
+{{- if .Values.kellnr.oauth2.clientId }}
+  KELLNR_OAUTH2__CLIENT_ID: {{ .Values.kellnr.oauth2.clientId | quote }}
+{{- end }}
+{{- if and .Values.kellnr.oauth2.clientSecret (not .Values.kellnr.oauth2.clientSecretRef.name) }}
+  KELLNR_OAUTH2__CLIENT_SECRET: {{ .Values.kellnr.oauth2.clientSecret | quote }}
+{{- end }}
+  KELLNR_OAUTH2__SCOPES: {{ .Values.kellnr.oauth2.scopes | quote }}
+  KELLNR_OAUTH2__AUTO_PROVISION_USERS: {{ .Values.kellnr.oauth2.autoProvisionUsers | quote }}
+{{- if .Values.kellnr.oauth2.adminGroupClaim }}
+  KELLNR_OAUTH2__ADMIN_GROUP_CLAIM: {{ .Values.kellnr.oauth2.adminGroupClaim | quote }}
+{{- end }}
+{{- if .Values.kellnr.oauth2.adminGroupValue }}
+  KELLNR_OAUTH2__ADMIN_GROUP_VALUE: {{ .Values.kellnr.oauth2.adminGroupValue | quote }}
+{{- end }}
+{{- if .Values.kellnr.oauth2.readOnlyGroupClaim }}
+  KELLNR_OAUTH2__READ_ONLY_GROUP_CLAIM: {{ .Values.kellnr.oauth2.readOnlyGroupClaim | quote }}
+{{- end }}
+{{- if .Values.kellnr.oauth2.readOnlyGroupValue }}
+  KELLNR_OAUTH2__READ_ONLY_GROUP_VALUE: {{ .Values.kellnr.oauth2.readOnlyGroupValue | quote }}
+{{- end }}
+  KELLNR_OAUTH2__BUTTON_TEXT: {{ .Values.kellnr.oauth2.buttonText | quote }}
diff --git a/charts/kellnr/templates/deployment.yaml b/charts/kellnr/templates/deployment.yaml
@@ -82,6 +82,11 @@ spec:
             valueFrom:
               secretKeyRef: {{ toYaml .Values.kellnr.postgres.pwdSecretRef | nindent 16 }}
           {{- end }}
+          {{- if and .Values.kellnr.oauth2.enabled .Values.kellnr.oauth2.clientSecretRef.name }}
+          - name: KELLNR_OAUTH2__CLIENT_SECRET
+            valueFrom:
+              secretKeyRef: {{ toYaml .Values.kellnr.oauth2.clientSecretRef | nindent 16 }}
+          {{- end }}
           envFrom:
             {{- if .Values.secret.enabled }}
             - secretRef:

diff --git a/charts/kellnr/templates/secret-config.yaml b/charts/kellnr/templates/secret-config.yaml
@@ -50,4 +50,30 @@ stringData:
   KELLNR_S3__ALLOW_HTTP: {{ .Values.kellnr.s3.allowHttp | quote }}
   KELLNR_S3__CRATES_BUCKET: {{ .Values.kellnr.s3.crates_bucket | quote }}
   KELLNR_S3__CRATESIO_BUCKET: {{ .Values.kellnr.s3.cratesio_bucket | quote }}
+  # OAuth2/OpenID Connect
+  KELLNR_OAUTH2__ENABLED: {{ .Values.kellnr.oauth2.enabled | quote }}
+{{- if .Values.kellnr.oauth2.issuerUrl }}
+  KELLNR_OAUTH2__ISSUER_URL: {{ .Values.kellnr.oauth2.issuerUrl | quote }}
+{{- end }}
+{{- if .Values.kellnr.oauth2.clientId }}
+  KELLNR_OAUTH2__CLIENT_ID: {{ .Values.kellnr.oauth2.clientId | quote }}
+{{- end }}
+{{- if and .Values.kellnr.oauth2.clientSecret (not .Values.kellnr.oauth2.clientSecretRef.name) }}
+  KELLNR_OAUTH2__CLIENT_SECRET: {{ .Values.kellnr.oauth2.clientSecret | quote }}
+{{- end }}
+  KELLNR_OAUTH2__SCOPES: {{ .Values.kellnr.oauth2.scopes | quote }}
+  KELLNR_OAUTH2__AUTO_PROVISION_USERS: {{ .Values.kellnr.oauth2.autoProvisionUsers | quote }}
+{{- if .Values.kellnr.oauth2.adminGroupClaim }}
+  KELLNR_OAUTH2__ADMIN_GROUP_CLAIM: {{ .Values.kellnr.oauth2.adminGroupClaim | quote }}
+{{- end }}
+{{- if .Values.kellnr.oauth2.adminGroupValue }}
+  KELLNR_OAUTH2__ADMIN_GROUP_VALUE: {{ .Values.kellnr.oauth2.adminGroupValue | quote }}
+{{- end }}
+{{- if .Values.kellnr.oauth2.readOnlyGroupClaim }}
+  KELLNR_OAUTH2__READ_ONLY_GROUP_CLAIM: {{ .Values.kellnr.oauth2.readOnlyGroupClaim | quote }}
+{{- end }}
+{{- if .Values.kellnr.oauth2.readOnlyGroupValue }}
+  KELLNR_OAUTH2__READ_ONLY_GROUP_VALUE: {{ .Values.kellnr.oauth2.readOnlyGroupValue | quote }}
+{{- end }}
+  KELLNR_OAUTH2__BUTTON_TEXT: {{ .Values.kellnr.oauth2.buttonText | quote }}
 {{- end }}
diff --git a/charts/kellnr/values.yaml b/charts/kellnr/values.yaml
@@ -129,6 +129,37 @@ kellnr:
     crates_bucket: "kellnr-crates"
     cratesio_bucket: "kellnr-cratesio"
 
+  # OAuth2/OpenID Connect authentication
+  # See https://kellnr.io/documentation for details
+  oauth2:
+    enabled: false
+    # OIDC issuer URL (discovery URL)
+    # Example: "https://authentik.example.com/application/o/kellnr/"
+    issuerUrl: ""
+    # OAuth2 client ID
+    clientId: ""
+    # OAuth2 client secret - prefer using clientSecretRef for production
+    clientSecret: ""
+    # Reference to an existing Kubernetes secret containing the client secret
+    # When set, this takes precedence over clientSecret
+    clientSecretRef:
+      name: ""
+      key: "client-secret"
+    # OAuth2 scopes to request (comma-separated)
+    scopes: "openid,profile,email"
+    # Automatically create local user accounts for new OAuth2 users
+    autoProvisionUsers: true
+    # Claim name to check for admin group membership (e.g., "groups")
+    adminGroupClaim: ""
+    # Value in the admin group claim that grants admin privileges (e.g., "kellnr-admins")
+    adminGroupValue: ""
+    # Claim name to check for read-only group membership (e.g., "groups")
+    readOnlyGroupClaim: ""
+    # Value in the read-only group claim that grants read-only access (e.g., "kellnr-readonly")
+    readOnlyGroupValue: ""
+    # Text displayed on the OAuth2 login button
+    buttonText: "Login with SSO"
+
 service:
   api:
     type: ClusterIP