feat: wire Zoho and Google OAuth + grant CNPG app role superuser privileges

## Changes

- Wire Zoho OAuth env vars (`ZOHO_OAUTH_CLIENT_ID`, `ZOHO_OAUTH_CLIENT_SECRET`) — guarded by `oauth.zohoClientIdKey`
- Wire Google OAuth env vars (`GOOGLE_OAUTH_CLIENT_ID`, `GOOGLE_OAUTH_CLIENT_SECRET`) — guarded by `oauth.googleClientIdKey`
- Guard GitHub OAuth injection on non-empty `githubClientIdKey` (allows Zoho/Google-only deployments)
- Add `postInitApplicationSQL` to CNPG Cluster to grant `SUPERUSER CREATEROLE CREATEDB REPLICATION` to the app role, required for remote server migrations that manage `electric_sync` role

## Usage

Set `oauth.name`, `oauth.zohoClientIdKey`/`oauth.zohoClientSecretKey` (and/or `googleClientIdKey`/`googleClientSecretKey`) in your values to enable the respective OAuth provider.

Author: iamriajul

helm/vibe-kanban-team/templates/_helpers.tpl

@@ -259,6 +259,7 @@ Trimmed to 59 chars so CNPG-generated suffixes (-app, -rw, -superuser) stay with
 {{- end }}
 {{- $oauth := .Values.config.existingSecrets.oauth -}}
 {{- if $oauth.name }}
+{{- if $oauth.githubClientIdKey }}
 - name: GITHUB_OAUTH_CLIENT_ID
   valueFrom:
     secretKeyRef:
@@ -270,6 +271,31 @@ Trimmed to 59 chars so CNPG-generated suffixes (-app, -rw, -superuser) stay with
       name: {{ $oauth.name }}
       key: {{ $oauth.githubClientSecretKey }}
 {{- end }}
+{{- if $oauth.googleClientIdKey }}
+- name: GOOGLE_OAUTH_CLIENT_ID
+  valueFrom:
+    secretKeyRef:
+      name: {{ $oauth.name }}
+      key: {{ $oauth.googleClientIdKey }}
+- name: GOOGLE_OAUTH_CLIENT_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ $oauth.name }}
+      key: {{ $oauth.googleClientSecretKey }}
+{{- end }}
+{{- if $oauth.zohoClientIdKey }}
+- name: ZOHO_OAUTH_CLIENT_ID
+  valueFrom:
+    secretKeyRef:
+      name: {{ $oauth.name }}
+      key: {{ $oauth.zohoClientIdKey }}
+- name: ZOHO_OAUTH_CLIENT_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ $oauth.name }}
+      key: {{ $oauth.zohoClientSecretKey }}
+{{- end }}
+{{- end }}
 {{- end }}
 
 {{- define "vibe-kanban-team.relay.structuredEnv" -}}

helm/vibe-kanban-team/templates/postgresql-cluster.yaml

@@ -1,4 +1,5 @@
 {{- if .Values.postgres.enabled }}
+{{- $dbName := .Values.postgres.database | default "vibe_kanban" }}
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
@@ -18,8 +19,12 @@ spec:
       wal_level: "logical"
   bootstrap:
     initdb:
-      database: {{ .Values.postgres.database | default "vibe_kanban" }}
-      owner: {{ .Values.postgres.database | default "vibe_kanban" }}
+      database: {{ $dbName }}
+      owner: {{ $dbName }}
+      postInitApplicationSQL:
+        # Grant the app role full privileges so remote can manage roles/passwords
+        # during migrations (including electric_sync role creation).
+        - {{ printf "ALTER ROLE %s WITH SUPERUSER CREATEROLE CREATEDB REPLICATION;" $dbName | quote }}
   managed:
     roles:
       - name: electric_sync

helm/vibe-kanban-team/values.yaml

@@ -130,6 +130,14 @@ config:
       name: ""
       githubClientIdKey: github-client-id
       githubClientSecretKey: github-client-secret
+      # Google OAuth — set googleClientIdKey to activate (leave empty to disable)
+      googleClientIdKey: ""
+      googleClientSecretKey: google-client-secret
+      # Zoho OAuth — set zohoClientIdKey to activate (leave empty to disable)
+      zohoClientIdKey: ""
+      zohoClientSecretKey: zoho-client-secret
+      # Optional: override Zoho accounts URL (e.g. https://accounts.zoho.eu)
+      # Set via extraEnv: [{name: ZOHO_ACCOUNTS_URL, value: "..."}]
 
 # =============================================================================
 # Environment Variables