From eb31c0d8e6811ad6b29ceaa208bd0edfb45bc644 Mon Sep 17 00:00:00 2001
From: Arlan Lloyd <arlanlloyd@gmail.com>
Date: Mon, 3 Nov 2025 01:18:50 +0000
Subject: [PATCH] add in scanner & extra apikey support

---
 chart/README.md                         |  4 ++++
 chart/templates/auth/deployment.yaml    | 24 ++++++++++++++++++++----
 chart/templates/scanner/deployment.yaml |  5 +++++
 chart/values.yaml                       | 23 ++++++++++++++++++-----
 4 files changed, 47 insertions(+), 9 deletions(-)

diff --git a/chart/README.md b/chart/README.md
index 265e765a..ce77ac14 100644
--- a/chart/README.md
+++ b/chart/README.md
@@ -23,6 +23,7 @@ extraObjects:
     stringData:
       postgres_user: kyoo_all
       postgres_password: watchSomething4me
+      scanner_apikey: triquarter4u
   - kind: PersistentVolumeClaim
     apiVersion: v1
     metadata:
@@ -48,6 +49,8 @@ global:
       host: postgres
     kyoo_transcoder:
       host: postgres
+    kyoo_scanner:
+      host: postgres
 # specify hardware resources
 transcoder:
   kyoo_transcoder:
@@ -83,6 +86,7 @@ stringData:
   tvdb_pin: ""
   postgres_user: kyoo_all
   postgres_password: watchSomething4me
+  scanner_apikey: triquarter4u
 ```
 
 # Additional Notes
diff --git a/chart/templates/auth/deployment.yaml b/chart/templates/auth/deployment.yaml
index 14a78593..447af608 100644
--- a/chart/templates/auth/deployment.yaml
+++ b/chart/templates/auth/deployment.yaml
@@ -53,15 +53,31 @@ spec:
             {{- end }}
           env:
             - name: EXTRA_CLAIMS
-              value: {{ .Values.kyoo.extraClaims | quote }}
+              value: {{ .Values.kyoo.auth.extraClaims | quote }}
             - name: FIRST_USER_CLAIMS
-              value: {{ .Values.kyoo.firstUserClaims | quote }}
+              value: {{ .Values.kyoo.auth.firstUserClaims | quote }}
             - name: GUEST_CLAIMS
-              value: {{ .Values.kyoo.guestClaims | quote }}
+              value: {{ .Values.kyoo.auth.guestClaims | quote }}
             - name: PROTECTED_CLAIMS
-              value: {{ .Values.kyoo.protectedClaims | quote }}
+              value: {{ .Values.kyoo.auth.protectedClaims | quote }}
             - name: PUBLIC_URL
               value: {{ .Values.kyoo.address | quote }}
+            - name: KEIBI_APIKEY_SCANNER
+              valueFrom:
+                secretKeyRef:
+                  key: {{ .Values.kyoo.auth.apikeys.scanner.apikeyKey }}
+                  name: {{ .Values.kyoo.auth.apikeys.scanner.existingSecret }}
+            - name: KEIBI_APIKEY_SCANNER_CLAIMS
+              value: {{ .Values.kyoo.auth.apikeys.scanner.claims | quote}}
+            {{- range $index, $entry := .Values.kyoo.auth.apikeys.extra }}
+            - name: KEIBI_APIKEY_{{ $entry.name | upper }}
+              valueFrom:
+                secretKeyRef:
+                  key: {{ $entry.apikeyKey }}
+                  name: {{ $entry.existingSecret }}
+            - name: KEIBI_APIKEY_{{ $entry.name | upper }}_CLAIMS
+              value: {{ $entry.claims | quote }}
+            {{- end }}
             - name: PGUSER
               valueFrom:
                 secretKeyRef:
diff --git a/chart/templates/scanner/deployment.yaml b/chart/templates/scanner/deployment.yaml
index a86e8cf3..e4952734 100644
--- a/chart/templates/scanner/deployment.yaml
+++ b/chart/templates/scanner/deployment.yaml
@@ -62,6 +62,11 @@ spec:
               value: "http://{{ include "kyoo.auth.fullname" . }}:4568/.well-known/jwks.json"
             - name: JWT_ISSUER
               value: {{ .Values.kyoo.address | quote }}
+            - name: KYOO_APIKEY
+              valueFrom:
+                secretKeyRef:
+                  key: {{ .Values.kyoo.auth.apikeys.scanner.apikeyKey }}
+                  name: {{ .Values.kyoo.auth.apikeys.scanner.existingSecret }}
             - name: THEMOVIEDB_API_ACCESS_TOKEN
               valueFrom:
                 secretKeyRef:
diff --git a/chart/values.yaml b/chart/values.yaml
index c035be12..222b9f5b 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -83,11 +83,24 @@ kyoo:
   # defaults to traefikproxy service unless specified otherwise
   middlewareRootURL: ~
 
-  # new auth settings
-  extraClaims: '{"permissions": ["core.read"], "verified": false}'
-  firstUserClaims: '{"permissions": ["users.read", "users.write", "apikeys.read", "apikeys.write", "users.delete", "core.read", "core.write", "scanner.trigger"], "verified": true}'
-  guestClaims: '{"permissions": ["users.read", "users.write", "apikeys.read", "apikeys.write", "users.delete", "core.read", "core.write", "scanner.trigger"], "verified": true}'
-  protectedClaims: "permissions,verified"
+  # auth settings
+  auth:
+    firstUserClaims: '{"permissions": ["users.read", "users.write", "apikeys.read", "apikeys.write", "users.delete", "core.read", "core.write", "scanner.trigger"], "verified": true}'
+    guestClaims: '{"permissions": ["users.read", "users.write", "apikeys.read", "apikeys.write", "users.delete", "core.read", "core.write", "scanner.trigger"], "verified": true}'
+    extraClaims: '{"permissions": ["core.read"], "verified": false}'
+    protectedClaims: "permissions,verified"
+
+    apikeys:
+      scanner:
+        existingSecret: bigsecret
+        apikeyKey: scanner_apikey
+        claims: '{"permissions": ["core.write"]}'
+      # create additional apikeys
+      extra: []
+        # - name: example
+        #   existingSecret: bigsecret
+        #   apikeyKey: example_apikey
+        #   claims: '{"permissions": ["core.read"]}'
 
   # A pattern (regex) to ignore video files.
   libraryIgnorePattern: ".*/[dD]ownloads?/.*"