feat(chart): add JWT audience, domain, prefix and extra claims settings

[appleboy]

Summary

Adds 9 AuthGate environment variables that the chart was missing relative to upstream internal/config/config.go / .env.example, so users can configure them through values.yaml instead of falling back to extraEnv: Swagger toggle, JWT audience/domain/private-claim-prefix, strict redirect URIs, and the 4 caller-supplied extra-claims limits. Defaults match upstream exactly, so a default install is unchanged.

AI Authorship

• AI was used. Details:
  • Tool / model: Claude Opus 4.7 via Claude Code
  • AI-authored files: values.yaml, templates/configmap.yaml, README.md
  • Human line-by-line reviewed: None yet — please review line-by-line.

Change classification

• Leaf node (local impact) — additive chart config only. No Go code, no core templates (deployment/secret/helpers) touched. A bad value surfaces at helm install/pod startup, not system-wide.

Plan reference

Goal: close the gap between the chart and AuthGate's supported env vars. New keys: server.enableSwagger, jwt.audience (list → comma-joined), jwt.domain, jwt.privateClaimPrefix, authCode.strictRedirectURIs, and the extraClaims.* block (enabled, maxRawSize, maxKeys, maxValSize).

Verification

• Unit tests — N/A (declarative chart)
• Render verification via helm lint + helm template
• Manual verification the reviewer can run from the chart dir:

  helm lint .
  # defaults: omits JWT_AUDIENCE/JWT_DOMAIN; prefix=extra; extra-claims 4096/16/512; swagger & strict = false
  helm template . | grep -E 'SWAGGER|JWT_AUDIENCE|JWT_DOMAIN|PRIVATE_CLAIM_PREFIX|EXTRA_CLAIMS|STRICT_REDIRECT'
  # overrides: domain + comma-joined audience render
  helm template . --set jwt.domain=oa --set 'jwt.audience={https://api.example.com,https://admin.example.com}'

Verifiability check

• Defaults documented and match upstream config.go
• Reviewer can judge correctness from rendered ConfigMap output without reading template internals
• Misconfiguration fails fast at AuthGate startup validation

Risk & rollback

• Risk: low. JWT_AUDIENCE/JWT_DOMAIN are {{- if }}-guarded so empty values omit the key (matching config.go "empty → omitted"). Defaults are unchanged for existing installs.
• Rollback: revert the commit; change is additive — prior extraEnv-based config still works.

Reviewer guide

• Read carefully: templates/configmap.yaml — confirm the audience list join, the conditional guards, and quoting match neighbours.
• Spot-check OK: values.yaml defaults (cross-check against config.go) and the README.md tables.

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Adds chart support for nine AuthGate environment variables (Swagger toggle, JWT audience/domain/private-claim prefix, strict redirect URIs, and four extra-claims limits) that previously had to be configured via extraEnv. Defaults match upstream so existing installs are unaffected.

Changes:

• Adds server.enableSwagger, jwt.audience/domain/privateClaimPrefix, authCode.strictRedirectURIs, and extraClaims.* keys to values.yaml.
• Renders the corresponding env vars in templates/configmap.yaml, with if-guards for the optional JWT_AUDIENCE and JWT_DOMAIN, and comma-joining audience list entries.
• Documents the new parameters in README.md (new JWT and OAuth Flow tables).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
values.yaml	Adds new defaults and inline documentation for the nine new chart parameters.
templates/configmap.yaml	Renders new env vars into the ConfigMap, guarding optional ones and joining the audience list.
README.md	Adds JWT and OAuth Flow parameter tables documenting the new settings.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.