feat: config based configuration

app.go

@@ -28,7 +28,10 @@ func initializeApp() (*cluster.ClusterManager, error) {
 
 	rbac.InitRBAC()
 	handlers.InitTemplates()
-	internal.LoadConfigFromEnv()
+	internal.LoadConfigFromFile(common.ConfigFilePath)
+	if common.ConfigFilePath == "" {
+		internal.LoadConfigFromEnv()
+	}
 
 	return cluster.NewClusterManager()
 }

charts/kite/templates/deployment.yaml

@@ -73,6 +73,10 @@ spec:
             - name: KITE_BASE
               value: {{ .Values.basePath }}
             {{- end }}
+            {{- if .Values.config.enabled }}
+            - name: KITE_CONFIG_FILE
+              value: /etc/kite/config.yaml
+            {{- end }}
           {{- with .Values.extraEnvs }}
           {{- toYaml . | nindent 12 }}
           {{- end }}
@@ -92,12 +96,25 @@ spec:
           {{- with .Values.volumeMounts }}
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- if .Values.config.enabled }}
+            - name: kite-config
+              mountPath: /etc/kite
+              readOnly: true
+          {{- end }}
           {{- if and (eq .Values.db.type "sqlite")}}
             - name: {{ include "kite.fullname" . }}-storage
               mountPath: {{ .Values.db.sqlite.persistence.mountPath }}
           {{- end }}
       volumes:
-      {{- if eq .Values.db.type "sqlite"}} 
+      {{- if .Values.config.enabled }}
+        - name: kite-config
+          secret:
+            secretName: {{ .Values.config.existingSecret | default (printf "%s-config" (include "kite.fullname" .)) }}
+            items:
+              - key: config.yaml
+                path: config.yaml
+      {{- end }}
+      {{- if eq .Values.db.type "sqlite"}}
         - name: {{ include "kite.fullname" . }}-storage
       {{- if .Values.db.sqlite.persistence.pvc.enabled }}
           persistentVolumeClaim:

charts/kite/templates/secret-config.yaml

@@ -0,0 +1,16 @@
+{{- if and .Values.config.enabled (not .Values.config.existingSecret) }}
+{{- $cfg := omit .Values.config "enabled" "existingSecret" }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "kite.fullname" . }}-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "kite.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  config.yaml: |
+    {{- with $cfg }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end }}

charts/kite/templates/secret.yaml

@@ -18,8 +18,4 @@ data:
   DB_TYPE: {{ .Values.db.type | b64enc | quote }}
   DB_DSN: {{ .Values.db.dsn | b64enc | quote }}
   {{- end }}
-  {{- if .Values.superUser.create }}
-  KITE_USERNAME: {{ .Values.superUser.username | b64enc | quote }}
-  KITE_PASSWORD: {{ .Values.superUser.password | b64enc | quote }}
-  {{- end }}
 {{- end }}

charts/kite/values.yaml

@@ -58,17 +58,6 @@ jwtSecret: ""
 # Ignored if using existingSecret
 encryptKey: "kite-default-encryption-key-change-in-production"
 
-# Superuser configuration
-# Used to create an initial superuser account on first startup
-# If superUser.create is false, will be setup in landing page
-# First install will create the superuser automatically
-# Subsequent installs/update will not modify the user
-# Ignored if using existingSecret
-superUser:
-  create: false
-  username: "admin"
-  password: ""
-
 # Secret handling
 # By default the chart will create a Kubernetes Secret containing sensitive values.
 secret:
@@ -80,10 +69,6 @@ secret:
   #  KITE_ENCRYPT_KEY
   #  DB_TYPE supported values: sqlite, postgres, mysql (defaults to sqlite if not set)
   #  DB_DSN (not required for sqlite)
-  # 
-  #  see superUser section for more details
-  #  KITE_USERNAME (optional for superuser)
-  #  KITE_PASSWORD (optional for superuser)
   # if set, the db.dsn and db.type values from the chart will be ignored.
   existingSecret: ""
 
@@ -131,6 +116,90 @@ extraEnvs:
   # - name: "EXAMPLE_ENV"
   #   value: "example_value"
 
+# Application configuration from values
+# When enabled, the specified sections become read-only in the UI.
+# You can either provide an existing Secret containing a config.yaml key,
+# or define the configuration inline below.
+config:
+  enabled: false
+  # Name of an existing Secret containing a `config.yaml` key.
+  # When set, the inline config below is ignored.
+  # The user is responsible for creating and managing this Secret.
+  # Example: kubectl create secret generic kite-config --from-file=config.yaml=./my-config.yaml
+  existingSecret: ""
+  # --- Inline configuration (used when existingSecret is empty) ---
+  # Super user configuration (created if the user doesn't exist, password updated on restart)
+  # superUser:
+  #   username: "admin"
+  #   password: "change-me-in-production"
+  # Sensitive values support ${ENV_VAR} placeholders, expanded from environment
+  # variables at startup. Use extraEnvs to inject secrets from Kubernetes Secrets:
+  #
+  # extraEnvs:
+  #   - name: PROD_KUBECONFIG
+  #     valueFrom:
+  #       secretKeyRef:
+  #         name: my-cluster-secrets
+  #         key: prod-kubeconfig
+  #   - name: OAUTH_SECRET
+  #     valueFrom:
+  #       secretKeyRef:
+  #         name: my-oauth-secrets
+  #         key: google-client-secret
+  #
+  # Then reference them in the config below:
+  # clusters:
+  #   - name: production
+  #     config: "${PROD_KUBECONFIG}"
+  # oauth:
+  #   - name: google
+  #     clientSecret: "${OAUTH_SECRET}"
+  #
+  # Cluster configurations
+  # clusters:
+  #   - name: production
+  #     description: "Production cluster"
+  #     config: |
+  #       apiVersion: v1
+  #       kind: Config
+  #       ...
+  #     prometheusURL: "http://prometheus:9090"
+  #     default: true
+  #   - name: in-cluster
+  #     inCluster: true
+  #
+  # OAuth provider configurations
+  # oauth:
+  #   - name: google
+  #     clientId: "xxx.apps.googleusercontent.com"
+  #     clientSecret: "secret-value"
+  #     issuer: "https://accounts.google.com"
+  #     scopes: "openid,profile,email"
+  #     enabled: true
+  #
+  # LDAP configuration
+  # ldap:
+  #   enabled: true
+  #   serverUrl: "ldap://ldap.example.com:389"
+  #   bindDn: "cn=admin,dc=example,dc=com"
+  #   bindPassword: "secret"
+  #   userBaseDn: "ou=users,dc=example,dc=com"
+  #   groupBaseDn: "ou=groups,dc=example,dc=com"
+  #
+  # RBAC configuration (roles and role mappings)
+  # rbac:
+  #   roles:
+  #     - name: admin
+  #       description: "Full access"
+  #       clusters: ["*"]
+  #       namespaces: ["*"]
+  #       resources: ["*"]
+  #       verbs: ["*"]
+  #   roleMapping:
+  #     - name: admin
+  #       users: ["alice"]
+  #       oidcGroups: ["admins"]
+
 # This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/
 serviceAccount:
   # Specifies whether a service account should be created

docs/.vitepress/config.mts

@@ -94,6 +94,7 @@ export default defineConfig({
             { text: "Prometheus Setup", link: "/config/prometheus-setup" },
             { text: "Managed K8s Auth", link: "/config/managed-k8s-auth" },
             { text: "Environment Variables", link: "/config/env" },
+            { text: "Configuration File", link: "/config/config-file" },
             { text: "Chart Values", link: "/config/chart-values" },
           ],
         },
@@ -155,6 +156,7 @@ export default defineConfig({
             { text: "Prometheus 设置", link: "/zh/config/prometheus-setup" },
             { text: "托管 K8s 认证", link: "/zh/config/managed-k8s-auth" },
             { text: "环境变量", link: "/zh/config/env" },
+            { text: "配置文件", link: "/zh/config/config-file" },
             { text: "Chart Values", link: "/zh/config/chart-values" },
           ],
         },

docs/config/chart-values.md

@@ -53,6 +53,25 @@ This document describes all available configuration options for the Kite Helm Ch
 | ----------- | ---------------------------------------- | ------- |
 | `extraEnvs` | List of additional environment variables | `[]`    |
 
+## Application Configuration
+
+Kite supports loading cluster, OAuth/LDAP, and RBAC configuration from a YAML config file. When enabled, managed sections become read-only in the UI.
+
+Available in Kite `v0.10.0` and later.
+
+See [Configuration File](./config-file) for the full config file format, usage examples, and reference.
+
+| Parameter               | Description                                                                    | Default |
+| ----------------------- | ------------------------------------------------------------------------------ | ------- |
+| `config.enabled`        | Enable configuration file mode                                                 | `false` |
+| `config.existingSecret` | Name of an existing Secret containing a `config.yaml` key. Recommended approach. | `""`    |
+| `config.superUser`      | Inline super user configuration (created on first startup only)                | `{}`    |
+| `config.clusters`       | Inline cluster configurations (when no existingSecret)                         | `[]`    |
+| `config.oauth`          | Inline OAuth provider configurations                                           | `[]`    |
+| `config.ldap`           | Inline LDAP configuration                                                      | `{}`    |
+| `config.rbac.roles`     | Inline RBAC role definitions                                                   | `[]`    |
+| `config.rbac.roleMapping` | Inline RBAC role mappings                                                    | `[]`    |
+
 ## Service Account Configuration
 
 | Parameter                    | Description                                         | Default |