mend · nabeelsaabna · Feb 9, 2026 · Feb 9, 2026 · Feb 9, 2026 · Feb 9, 2026
diff --git a/helm-charts/mend-renovate-ee/templates/_helpers.tpl b/helm-charts/mend-renovate-ee/templates/_helpers.tpl
@@ -64,6 +64,17 @@ Expand the name of the worker secret
 {{- end -}}
 {{- end -}}
 
+{{/*
+Expand the name of the web secret
+*/}}
+{{- define "mend-renovate.web-secret-name" -}}
+{{- if .Values.renovateWeb.existingSecret -}}
+{{- .Values.renovateWeb.existingSecret -}}
+{{- else -}}
+{{- include "mend-renovate.name" . }}-web
+{{- end -}}
+{{- end -}}
+
 {{/*
 Expand the name of the npmrc secret
 */}}
@@ -96,3 +107,14 @@ Expand the name of the worker service account
 {{- .Values.renovateWorker.serviceAccount.existingName -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Expand the name of the web service account
+*/}}
+{{- define "mend-renovate.web-service-account-name" -}}
+{{- if .Values.renovateWeb.serviceAccount.create -}}
+{{- include "mend-renovate.name" . }}-web-sa
+{{- else -}}
+{{- .Values.renovateWeb.serviceAccount.existingName -}}
+{{- end -}}
+{{- end -}}
diff --git a/helm-charts/mend-renovate-ee/templates/secret.yaml b/helm-charts/mend-renovate-ee/templates/secret.yaml
@@ -74,6 +74,28 @@ data:
 
 ---
 
+{{- if and .Values.renovateWeb.enabled (not .Values.renovateWeb.existingSecret) (or .Values.renovateWeb.mendRnvGithubClientSecret .Values.renovateWeb.mendRnvBackendSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: {{ include "mend-renovate.web-secret-name" . }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    helm.sh/chart: {{ include "mend-renovate.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+data:
+  {{- if .Values.renovateWeb.mendRnvBackendSecret }}
+  mendRnvBackendSecret: {{ .Values.renovateWeb.mendRnvBackendSecret | b64enc | quote }}
+  {{- end }}
+  {{- if .Values.renovateWeb.mendRnvGithubClientSecret }}
+  mendRnvGithubClientSecret: {{ .Values.renovateWeb.mendRnvGithubClientSecret | b64enc | quote }}
+  {{- end }}
+{{- end }}
+
+---
+
 {{- if not .Values.renovateWorker.existingSecret }}
 apiVersion: v1
 kind: Secret

diff --git a/helm-charts/mend-renovate-ee/templates/web-deployment.yaml b/helm-charts/mend-renovate-ee/templates/web-deployment.yaml
@@ -31,7 +31,6 @@ spec:
         {{ toYaml . | nindent 8 }}
         {{- end }}
       annotations:
-        checksum/config.jsFileConfigMap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
         checksum/shardedExtraConfigMaps: {{ include (print $.Template.BasePath "/extra-configmaps.yaml") . | sha256sum }}
         checksum/extraConfigMaps: {{ include (print $.Template.BasePath "/web-extra-configmaps.yaml") . | sha256sum }}
         {{- with .Values.renovateWeb.annotations }}
@@ -53,7 +52,7 @@ spec:
 
       containers:
         - name: {{ .Chart.Name }}-web
-          image: "{{ .Values.renovateWeb.image.repository }}:{{ .Values.renovateWeb.image.version }}"
+          image: "{{ .Values.renovateWeb.image.repository }}:{{ required "renovateWeb.image.version must be set when renovateWeb.enabled=true" .Values.renovateWeb.image.version }}"
           imagePullPolicy: {{ .Values.renovateWeb.image.pullPolicy }}
           {{- with .Values.renovateWeb.containerSecurityContext }}
           securityContext: {{ toYaml . | nindent 12 }}
@@ -80,18 +79,86 @@ spec:
             {{ toYaml . | nindent 12 }}
             {{- end }}
 
-            ## TODO: was MEND_RNV_SERVER_HOSTNAME
+            {{- $platform := coalesce .Values.renovateWeb.mendRnvPlatform .Values.renovateServer.mendRnvPlatform }}
+            {{- if $platform }}
+            - name: MEND_RNV_PLATFORM
+              value: {{ $platform | quote }}
+            {{- end }}
+            {{- $endpoint := coalesce .Values.renovateWeb.mendRnvEndpoint .Values.renovateServer.mendRnvEndpoint }}
+            {{- if $endpoint }}
+            - name: MEND_RNV_ENDPOINT
+              value: {{ $endpoint | quote }}
+            {{- end }}
+            {{- if .Values.renovateWeb.mendRnvGithubClientId }}
+            - name: MEND_RNV_GITHUB_CLIENT_ID
+              value: {{ .Values.renovateWeb.mendRnvGithubClientId | quote }}
+            {{- end }}
+            {{- if or .Values.renovateWeb.mendRnvGithubClientSecret .Values.renovateWeb.existingSecret }}
+            - name: MEND_RNV_GITHUB_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "mend-renovate.web-secret-name" . }}
+                  key: mendRnvGithubClientSecret
+            {{- end }}
+            {{- if .Values.renovateWeb.mendRnvGithubRedirectURI }}
+            - name: MEND_RNV_GITHUB_REDIRECT_URI
+              value: {{ .Values.renovateWeb.mendRnvGithubRedirectURI | quote }}
+            {{- end }}
+            - name: MEND_RNV_HTTPS_ENABLED
+              value: {{ .Values.renovateWeb.mendRnvHttpsEnabled | quote }}
+            - name: MEND_RNV_LISTEN_ADDR
+              value: {{ .Values.renovateWeb.mendRnvListenAddr | quote }}
+            - name: MEND_RNV_PAGE_SIZE
+              value: {{ .Values.renovateWeb.mendRnvPageSize | quote }}
+            - name: MEND_RNV_UI_ENABLE_RUN_JOB
+              value: {{ .Values.renovateWeb.mendRnvUIEnableRunJob | quote }}
+            {{- if .Values.renovateWeb.mendRnvHttpsEnabled }}
+            - name: MEND_RNV_CERT_FILE
+              value: {{ required "renovateWeb.mendRnvCertFile must be set when renovateWeb.mendRnvHttpsEnabled=true" .Values.renovateWeb.mendRnvCertFile | quote }}
+            - name: MEND_RNV_KEY_FILE
+              value: {{ required "renovateWeb.mendRnvKeyFile must be set when renovateWeb.mendRnvHttpsEnabled=true" .Values.renovateWeb.mendRnvKeyFile | quote }}
+            {{- end }}
+            {{- if .Values.renovateWeb.mendRnvClientCACert }}
+            - name: MEND_RNV_CLIENT_CA_CERT
+              value: {{ .Values.renovateWeb.mendRnvClientCACert | quote }}
+            {{- end }}
+            {{- if .Values.renovateWeb.mendRnvSessionAgeOverride }}
+            - name: MEND_RNV_SESSION_AGE_OVERRIDE
+              value: {{ .Values.renovateWeb.mendRnvSessionAgeOverride | quote }}
+            {{- end }}
+            {{- if .Values.renovateWeb.mendRnvCSPFormAction }}
+            - name: MEND_RNV_CSP_FORM_ACTION
+              value: {{ .Values.renovateWeb.mendRnvCSPFormAction | quote }}
+            {{- end }}
+            {{- if .Values.renovateWeb.mendRnvCSPConnectSrc }}
+            - name: MEND_RNV_CSP_CONNECT_SRC
+              value: {{ .Values.renovateWeb.mendRnvCSPConnectSrc | quote }}
+            {{- end }}
+            {{- if .Values.renovateWeb.mendRnvCSPImgSrc }}
+            - name: MEND_RNV_CSP_IMG_SRC
+              value: {{ .Values.renovateWeb.mendRnvCSPImgSrc | quote }}
+            {{- end }}
+
             - name: MEND_RNV_BACKEND_ADDR
+              {{- if .Values.renovateWeb.mendRnvBackendAddr }}
+              value: {{ .Values.renovateWeb.mendRnvBackendAddr | quote }}
+              {{- else }}
               {{- $httpsPort:= "" }}
               {{- $scheme := "http" }}
-              {{- if or .Values.renovateWeb.mendRnvClientHttpsConfig .Values.renovateWeb.mendRnvClientHttpsConfigPath}}
+              {{- if or .Values.renovateServer.mendRnvServerHttpsConfig .Values.renovateServer.mendRnvServerHttpsConfigPath}}
                 {{- $httpsPort = print ":" .Values.service.ports.https }}
                 {{- $scheme = "https" }}
               {{- end}}
               value: "{{ $scheme }}://{{ include "mend-renovate.fullname" . }}-svc-server{{ $httpsPort }}"
+              {{- end }}
 
-            {{- if or .Values.renovateServer.mendRnvServerApiSecret .Values.renovateServer.existingSecret }}
-            # TODO: was MEND_RNV_SERVER_API_SECRET
+            {{- if or .Values.renovateWeb.mendRnvBackendSecret .Values.renovateWeb.existingSecret }}
+            - name: MEND_RNV_BACKEND_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "mend-renovate.web-secret-name" . }}
+                  key: mendRnvBackendSecret
+            {{- else if or .Values.renovateServer.mendRnvServerApiSecret .Values.renovateServer.existingSecret }}
             - name: MEND_RNV_BACKEND_SECRET
               valueFrom:
                 secretKeyRef:
@@ -111,16 +178,6 @@ spec:
                   key: mendRnvLicenseKey
             {{- end }}
 
-
-            {{- if .Values.renovateWeb.mendRnvClientHttpsConfig }}
-            - name: MEND_RNV_CLIENT_HTTPS_CONFIG
-              value: {{ toJson .Values.renovateWeb.mendRnvClientHttpsConfig | quote }}
-            {{- end }}
-            {{- if .Values.renovateWeb.mendRnvClientHttpsConfigPath }}
-            - name: MEND_RNV_CLIENT_HTTPS_CONFIG_PATH
-              value: {{ .Values.renovateWeb.mendRnvClientHttpsConfigPath | quote}}
-            {{- end }}
-
             {{- if .Values.renovateWeb.logLevel }}
             - name: LOG_LEVEL
               value: {{ .Values.renovateWeb.logLevel | quote }}
@@ -132,16 +189,14 @@ spec:
             - name: ee-web-https
               containerPort: 8443
               protocol: TCP
-
-# TODO: add /health
-{{/*          {{- with .Values.renovateWeb.livenessProbe }}*/}}
-{{/*          livenessProbe:*/}}
-{{/*            {{- toYaml . | nindent 12 }}*/}}
-{{/*          {{- end }}*/}}
-{{/*          {{- with .Values.renovateWeb.readinessProbe }}*/}}
-{{/*          readinessProbe:*/}}
-{{/*          {{- toYaml . | nindent 12 }}*/}}
-{{/*          {{- end }}*/}}
+          {{- with .Values.renovateWeb.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.renovateWeb.readinessProbe }}
+          readinessProbe:
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
 
           resources:
             {{ toYaml .Values.renovateWeb.resources | nindent 12 }}

diff --git a/helm-charts/mend-renovate-ee/values.yaml b/helm-charts/mend-renovate-ee/values.yaml
@@ -547,20 +547,77 @@ renovateWeb:
     version:
     pullPolicy: Always
 
-  # TLS client config (YAML format, stringified to JSON in template).
-  # Takes precedence over 'mendRnvClientHttpsConfigPath'.
-  #
-  # https://github.com/mend/renovate-ce-ee/blob/main/docs/tls.md#clienthttpsoptions-details-and-examples
-  mendRnvClientHttpsConfig:
-  #  ca: "file:///path/to/cert_auth.pem"       # or "base64://..." or plain string
+  # Which platform the Web UI connects to. currently supported value: "github"
+  # If unset, the chart derives mendRnvPlatform from the server service.
+  mendRnvPlatform:
 
-  # Path to the TLS server config.
-  mendRnvClientHttpsConfigPath:
+  # Optional endpoint used by the platform client.
+  # Usually only needed for GitHub Enterprise. For github.com, defaults are derived from mendRnvPlatform.
+  # Example: https://ghe.example.com/
+  mendRnvEndpoint:
 
-  # Additional worker env vars
+  # Optional explicit backend URL override.
+  # If unset, the chart derives mendRnvBackendAddr from the server service.
+  mendRnvBackendAddr:
+
+  # Optional backend API secret for websrv.
+  # This must match the server API secret value used by renovateServer.mendRnvServerApiSecret.
+  # If unset, websrv uses renovateServer.mendRnvServerApiSecret.
+  mendRnvBackendSecret:
+
+  # GitHub app client ID.
+  mendRnvGithubClientId:
+
+  # GitHub app client secret.
+  # Used when renovateWeb.existingSecret is not set.
+  mendRnvGithubClientSecret:
+
+  # Optional existing secret with keys used by websrv:
+  #   mendRnvGithubClientSecret:
+  #   mendRnvBackendSecret:
+  existingSecret:
+
+  # Optional GitHub OAuth redirect URI override.
+  mendRnvGithubRedirectURI:
+
+  # HTTPS server configuration for websrv.
+  # mendRnvCertFile and mendRnvKeyFile are file paths inside the web container.
+  # Ensure the files are mounted into the pod (for example via Secret/ConfigMap + extraVolumes/extraVolumeMounts).
+  mendRnvHttpsEnabled: false
+  # Required when mendRnvHttpsEnabled=true.
+  mendRnvCertFile:
+  # Required when mendRnvHttpsEnabled=true.
+  mendRnvKeyFile:
+
+  mendRnvListenAddr: ":8080"
+
+  # Optional backend TLS CA certificate file path used to verify HTTPS server certificates.
+  # This path must exist inside the web container (typically mounted via extraVolumes/extraVolumeMounts).
+  mendRnvClientCACert:
+
+  # Optional Go duration string. Example: "30m", "24h".
+  mendRnvSessionAgeOverride:
+
+  # UI specific settings.
+  mendRnvPageSize: 20
+  mendRnvUIEnableRunJob: true
+
+  # Optional CSP form-action override.
+  # Default: "'self'"
+  mendRnvCSPFormAction:
+
+  # Optional CSP connect-src override.
+  # Default: "'self'"
+  mendRnvCSPConnectSrc:
+
+  # Optional CSP img-src override.
+  # Default "'self' data: https:"
+  mendRnvCSPImgSrc:
+
+  # Additional web env vars
   extraEnvVars: [ ]
 
-  # Number of renovate-ee-workers
+  # Number of renovate-ee-web instances
   replicas: 1
 
   # Set log level, defaults to 'info'. Allowed values: fatal, error, warn, info, debug, trace
@@ -607,26 +664,25 @@ renovateWeb:
   # name of the image pull secret
   imagePullSecrets: ""
 
+  readinessProbe:
+    httpGet:
+      path: /readyz
+      port: ee-web
+    initialDelaySeconds: 20
+    periodSeconds: 20
+    timeoutSeconds: 1
+    failureThreshold: 3
+    successThreshold: 1
 
-  #    readinessProbe:
-  #      httpGet:
-  #        path: /health
-  #        port: ee-web
-  #      initialDelaySeconds: 20
-  #      periodSeconds: 20
-  #      timeoutSeconds: 1
-  #      failureThreshold: 3
-  #      successThreshold: 1
-  #
-  #    livenessProbe:
-  #      httpGet:
-  #        path: /health
-  #        port: ee-web
-  #      initialDelaySeconds: 60
-  #      periodSeconds: 10
-  #      timeoutSeconds: 1
-  #      failureThreshold: 3
-  #      successThreshold: 1
+  livenessProbe:
+    httpGet:
+      path: /livez
+      port: ee-web
+    initialDelaySeconds: 60
+    periodSeconds: 10
+    timeoutSeconds: 1
+    failureThreshold: 3
+    successThreshold: 1
 
   # Extra ConfigMaps to be created by the chart
   # These are full Kubernetes ConfigMap definitions