replace repl with envvars

Author: Simon Emms

install/installer/scripts/kots-install.sh

@@ -2,36 +2,36 @@
 # Copyright (c) 2022 Gitpod GmbH. All rights reserved.
 # Licensed under the MIT License. See License-MIT.txt in the project root for license information.
 
-# shellcheck disable=SC2140,SC2050
+# shellcheck disable=SC2050,SC2153
 
 set -e
 
 echo "Gitpod: Killing any in-progress installations"
 
-kubectl delete jobs.batch -n "{{repl Namespace }}" -l component="gitpod-installer,cursor!={{repl Cursor }}" --force --grace-period 0 || true
-kubectl delete pod -n "{{repl Namespace }}" -l component="gitpod-installer,cursor!={{repl Cursor }}" --force --grace-period 0 || true
+kubectl delete jobs.batch -n "${NAMESPACE}" -l component="gitpod-installer,cursor!=${CURSOR}" --force --grace-period 0 || true
+kubectl delete pod -n "${NAMESPACE}" -l component="gitpod-installer,cursor!=${CURSOR}" --force --grace-period 0 || true
 
-if [ "$(helm status -n "{{repl Namespace }}" gitpod -o json | jq '.info.status == "deployed"')" = "false" ];
+if [ "$(helm status -n "${NAMESPACE}" gitpod -o json | jq '.info.status == "deployed"')" = "false" ];
 then
 echo "Gitpod: Deployment in-progress - clearing"
 
-VERSION="$(helm status -n "{{repl Namespace }}" gitpod -o json | jq '.version')"
+VERSION="$(helm status -n "${NAMESPACE}" gitpod -o json | jq '.version')"
 if [ "${VERSION}" -le 1 ];
 then
     echo "Gitpod: Uninstall application"
-    helm uninstall -n "{{repl Namespace }}" gitpod --wait || true
+    helm uninstall -n "${NAMESPACE}" gitpod --wait || true
 else
     echo "Gitpod: Rolling back application"
-    helm rollback -n "{{repl Namespace }}" gitpod --wait || true
+    helm rollback -n "${NAMESPACE}" gitpod --wait || true
 fi
 fi
 
 echo "Gitpod: Generate the base Installer config"
 /app/installer init > "${CONFIG_FILE}"
 
 echo "Gitpod: auto-detecting ShiftFS support on host machine"
-kubectl wait job -n "{{repl Namespace }}" --for=condition=complete -l component=shiftfs-module-loader --timeout=30s || true
-ENABLE_SHIFTFS=$(kubectl get jobs.batch -n "{{repl Namespace }}" -l component=shiftfs-module-loader -o jsonpath='{.items[0].status.succeeded}')
+kubectl wait job -n "${NAMESPACE}" --for=condition=complete -l component=shiftfs-module-loader --timeout=30s || true
+ENABLE_SHIFTFS=$(kubectl get jobs.batch -n "${NAMESPACE}" -l component=shiftfs-module-loader -o jsonpath='{.items[0].status.succeeded}')
 
 if [ "${ENABLE_SHIFTFS}" = "1" ]; then
     echo "Gitpod: enabling ShiftFS support"
@@ -61,27 +61,27 @@ elif [ -S "/mnt/node0${CONTAINERD_SOCKET_AL}" ]; then
 fi
 
 echo "Gitpod: Inject the Replicated variables into the config"
-yq e -i '.domain = "{{repl ConfigOption "domain" }}"' "${CONFIG_FILE}"
+yq e -i ".domain = \"${DOMAIN}\"" "${CONFIG_FILE}"
 yq e -i '.license.kind = "secret"' "${CONFIG_FILE}"
 yq e -i '.license.name = "gitpod-license"' "${CONFIG_FILE}"
 
-if [ '{{repl ConfigOptionNotEquals "openVsxUrl" "" }}' = "true" ];
+if [ "${OPEN_VSX_URL}" != "" ];
 then
     echo "Gitpod: Setting Open VSX Registry URL"
-    yq e -i ".openVSX.url = \"{{repl ConfigOption "openVsxUrl" }}\"" "${CONFIG_FILE}"
+    yq e -i ".openVSX.url = \"${OPEN_VSX_URL}\"" "${CONFIG_FILE}"
 fi
 
-if [ '{{repl and (ConfigOptionEquals "db_incluster" "0") (ConfigOptionEquals "db_cloudsql_enabled" "1") }}' = "true" ];
+if [ "${DB_INCLUSTER_ENABLED}" = "0" ] && [ "${DB_CLOUDSQL_INSTANCE}" = "1" ];
 then
     echo "Gitpod: configuring CloudSQLProxy"
 
     yq e -i ".database.inCluster = false" "${CONFIG_FILE}"
-    yq e -i ".database.cloudSQL.instance = \"{{repl ConfigOption "db_cloudsql_instance" }}\"" "${CONFIG_FILE}"
+    yq e -i ".database.cloudSQL.instance = \"${DB_INCLUSTER_ENABLED}\"" "${CONFIG_FILE}"
     yq e -i ".database.cloudSQL.serviceAccount.kind = \"secret\"" "${CONFIG_FILE}"
     yq e -i ".database.cloudSQL.serviceAccount.name = \"cloudsql\"" "${CONFIG_FILE}"
 fi
 
-if [ '{{repl and (ConfigOptionEquals "db_incluster" "0") (ConfigOptionEquals "db_cloudsql_enabled" "0") }}' = "true" ];
+if [ "${DB_INCLUSTER_ENABLED}" = "0" ] && [ "${DB_CLOUDSQL_INSTANCE}" = "0" ];
 then
     echo "Gitpod: configuring external database"
 
@@ -90,139 +90,138 @@ then
     yq e -i ".database.external.certificate.name = \"database\"" "${CONFIG_FILE}"
 fi
 
-if [ '{{repl HasLocalRegistry }}' = "true" ];
+if [ "${HAS_LOCAL_REGISTRY}" = "true" ];
 then
     echo "Gitpod: configuring mirrored container registry for airgapped installation"
 
-    yq e -i ".repository = \"{{repl LocalRegistryAddress }}\"" "${CONFIG_FILE}"
+    yq e -i ".repository = \"${LOCAL_REGISTRY_ADDRESS}\"" "${CONFIG_FILE}"
     yq e -i ".imagePullSecrets[0].kind = \"secret\"" "${CONFIG_FILE}"
-    yq e -i ".imagePullSecrets[0].name = \"{{repl ImagePullSecretName }}\"" "${CONFIG_FILE}"
+    yq e -i ".imagePullSecrets[0].name = \"${IMAGE_PULL_SECRET_NAME}\"" "${CONFIG_FILE}"
     yq e -i '.dropImageRepo = true' "${CONFIG_FILE}"
 
     # Add the registry to the server allowlist - keep docker.io in case it's just using the mirrored registry functionality without being airgapped
-    yq e -i ".containerRegistry.privateBaseImageAllowList += \"{{repl LocalRegistryHost }}\"" "${CONFIG_FILE}"
+    yq e -i ".containerRegistry.privateBaseImageAllowList += \"${LOCAL_REGISTRY_HOST}\"" "${CONFIG_FILE}"
     yq e -i ".containerRegistry.privateBaseImageAllowList += \"docker.io\"" "${CONFIG_FILE}"
 fi
 
 # Output the local registry secret - this is proxy.replicated.com if user hasn't set their own
-echo "{{repl LocalRegistryImagePullSecret }}" | base64 -d > /tmp/kotsregistry.json
+echo "${LOCAL_REGISTRY_IMAGE_PULL_SECRET}" | base64 -d > /tmp/kotsregistry.json
 
-if [ '{{repl ConfigOptionEquals "reg_incluster" "0" }}' = "true" ];
+if [ "${REG_INCLUSTER_ENABLED}" = "0" ];
 then
     echo "Gitpod: configuring external container registry"
 
-    # Create a container-registry secret merging the external registry and KOTS registry keys
-    echo '{{repl printf "{\"auths\": {\"%s\": {\"username\": \"%s\", \"password\": %s, \"auth\": \"%s\"}}}" (ConfigOption "reg_server" | default (ConfigOption "reg_url")) (ConfigOption "reg_username") (ConfigOption "reg_password" | toJson) (printf "%s:%s" (ConfigOption "reg_username") (ConfigOption "reg_password") | Base64Encode) }}' \
-        | yq -o=json '.' - \
-        > /tmp/gitpodregistry.json
+    # Get the external-container-registry secret so we can merge the external registry and KOTS registry keys
+    kubectl get secret external-container-registry \
+        --namespace "${NAMESPACE}" \
+        -o jsonpath='{.data.\.dockerconfigjson}' | base64 -d > /tmp/gitpodregistry.json
 
     cat /tmp/kotsregistry.json /tmp/gitpodregistry.json | jq -s '.[0] * .[1]' - - > /tmp/container-registry-secret
 
     echo "Gitpod: create the container-registry secret"
     kubectl create secret docker-registry container-registry \
-        --namespace "{{repl Namespace }}" \
+        --namespace "${NAMESPACE}" \
         --from-file=.dockerconfigjson=/tmp/container-registry-secret \
         -o yaml --dry-run=client | \
-        kubectl replace --namespace "{{repl Namespace }}" --force -f -
+        kubectl replace --namespace "${NAMESPACE}" --force -f -
 
     yq e -i ".containerRegistry.inCluster = false" "${CONFIG_FILE}"
-    yq e -i ".containerRegistry.external.url = \"{{repl ConfigOption "reg_url" }}\"" "${CONFIG_FILE}"
+    yq e -i ".containerRegistry.external.url = \"${REG_URL}\"" "${CONFIG_FILE}"
     yq e -i ".containerRegistry.external.certificate.kind = \"secret\"" "${CONFIG_FILE}"
     yq e -i ".containerRegistry.external.certificate.name = \"container-registry\"" "${CONFIG_FILE}"
 else
-    if [ '{{repl ConfigOptionEquals "reg_incluster_storage" "s3" }}' = "true" ];
+    if [ "${REG_INCLUSTER_STORAGE}" = "s3" ];
     then
         echo "Gitpod: configuring container registry S3 backend"
 
-        yq e -i ".containerRegistry.s3storage.region = \"{{repl ConfigOption "reg_incluster_storage_s3_region" }}\"" "${CONFIG_FILE}"
-        yq e -i ".containerRegistry.s3storage.endpoint = \"{{repl ConfigOption "reg_incluster_storage_s3_endpoint" }}\"" "${CONFIG_FILE}"
-        yq e -i ".containerRegistry.s3storage.bucket = \"{{repl ConfigOption "reg_incluster_storage_s3_bucketname" }}\"" "${CONFIG_FILE}"
+        yq e -i ".containerRegistry.s3storage.region = \"${REG_INCLUSTER_STORAGE_S3_REGION}\"" "${CONFIG_FILE}"
+        yq e -i ".containerRegistry.s3storage.endpoint = \"${REG_INCLUSTER_STORAGE_S3_ENDPOINT}\"" "${CONFIG_FILE}"
+        yq e -i ".containerRegistry.s3storage.bucket = \"${REG_INCLUSTER_STORAGE_S3_BUCKETNAME}\"" "${CONFIG_FILE}"
         yq e -i ".containerRegistry.s3storage.certificate.kind = \"secret\"" "${CONFIG_FILE}"
         yq e -i ".containerRegistry.s3storage.certificate.name = \"container-registry-s3-backend\"" "${CONFIG_FILE}"
     fi
 fi
 
-if [ '{{repl ConfigOptionNotEquals "store_provider" "incluster" }}' = "true" ];
+if [ "${STORE_PROVIDER}" != "incluster" ];
 then
     echo "Gitpod: configuring the storage"
 
-    yq e -i ".metadata.region = \"{{repl ConfigOption "store_region" }}\"" "${CONFIG_FILE}"
+    yq e -i ".metadata.region = \"${STORE_REGION}\"" "${CONFIG_FILE}"
     yq e -i ".objectStorage.inCluster = false" "${CONFIG_FILE}"
 
-    if [ '{{repl ConfigOptionEquals "store_provider" "azure" }}' = "true" ];
+    if [ "${STORE_PROVIDER}" = "azure" ];
     then
         echo "Gitpod: configuring storage for Azure"
 
         yq e -i ".objectStorage.azure.credentials.kind = \"secret\"" "${CONFIG_FILE}"
         yq e -i ".objectStorage.azure.credentials.name = \"storage-azure\"" "${CONFIG_FILE}"
     fi
 
-    if [ '{{repl ConfigOptionEquals "store_provider" "gcp" }}' = "true" ];
+    if [ "${STORE_PROVIDER}" = "gcp" ];
     then
         echo "Gitpod: configuring storage for GCP"
 
-        yq e -i ".objectStorage.cloudStorage.project = \"{{repl ConfigOption "store_gcp_project" }}\"" "${CONFIG_FILE}"
+        yq e -i ".objectStorage.cloudStorage.project = \"${STORE_GCP_PROJECT}\"" "${CONFIG_FILE}"
         yq e -i ".objectStorage.cloudStorage.serviceAccount.kind = \"secret\"" "${CONFIG_FILE}"
         yq e -i ".objectStorage.cloudStorage.serviceAccount.name = \"storage-gcp\"" "${CONFIG_FILE}"
     fi
 
-    if [ '{{repl ConfigOptionEquals "store_provider" "s3" }}' = "true" ];
+    if [ "${STORE_PROVIDER}" = "s3" ];
     then
         echo "Gitpod: configuring storage for S3"
 
-        yq e -i ".objectStorage.s3.endpoint = \"{{repl ConfigOption "store_s3_endpoint" }}\"" "${CONFIG_FILE}"
-        yq e -i ".objectStorage.s3.bucket = \"{{repl ConfigOption "store_s3_bucket" }}\"" "${CONFIG_FILE}"
+        yq e -i ".objectStorage.s3.endpoint = \"${STORE_S3_ENDPOINT}\"" "${CONFIG_FILE}"
+        yq e -i ".objectStorage.s3.bucket = \"${STORE_S3_BUCKET}\"" "${CONFIG_FILE}"
         yq e -i ".objectStorage.s3.credentials.kind = \"secret\"" "${CONFIG_FILE}"
         yq e -i ".objectStorage.s3.credentials.name = \"storage-s3\"" "${CONFIG_FILE}"
     fi
 fi
 
-if [ '{{repl ConfigOptionEquals "ssh_gateway" "1" }}' = "true" ];
+if [ "${SSH_GATEWAY}" = "1" ];
 then
     echo "Gitpod: Generate SSH host key"
     ssh-keygen -t rsa -q -N "" -f host.key
-    kubectl create secret generic ssh-gateway-host-key --from-file=host.key -n "{{repl Namespace }}" || echo "SSH Gateway Host Key secret has not been created. Does it exist already?"
+    kubectl create secret generic ssh-gateway-host-key --from-file=host.key -n "${NAMESPACE}" || echo "SSH Gateway Host Key secret has not been created. Does it exist already?"
     yq e -i '.sshGatewayHostKey.kind = "secret"' "${CONFIG_FILE}"
     yq e -i '.sshGatewayHostKey.name = "ssh-gateway-host-key"' "${CONFIG_FILE}"
 fi
 
-if [ '{{repl ConfigOptionEquals "tls_self_signed_enabled" "1" }}' = "true" ];
+if [ "${TLS_SELF_SIGNED_ENABLED}" = "1" ];
 then
     echo "Gitpod: Generating a self-signed certificate with the internal CA"
     yq e -i '.customCACert.kind = "secret"' "${CONFIG_FILE}"
     yq e -i '.customCACert.name = "ca-issuer-ca"' "${CONFIG_FILE}"
-elif [ '{{repl and (ConfigOptionEquals "tls_self_signed_enabled" "0") (ConfigOptionEquals "cert_manager_enabled" "0") (ConfigOptionNotEquals "tls_ca_crt" "") }}' = "true" ];
+elif [ "${TLS_SELF_SIGNED_ENABLED}" = "0" ] && [ "${CERT_MANAGER_ENABLED}" = "0" ] && [ "${TLS_CUSTOM_CA_CRT_ENABLED}" = "true" ];
 then
     echo "Gitpod: Setting CA to be used for certificate"
     yq e -i '.customCACert.kind = "secret"' "${CONFIG_FILE}"
     yq e -i '.customCACert.name = "ca-certificate"' "${CONFIG_FILE}"
 fi
 
-if [ '{{repl ConfigOptionEquals "user_management_block_enabled" "1" }}' = "true" ];
+if [ "${USER_MANAGEMENT_BLOCK_ENABLED}" = "1" ];
 then
     echo "Gitpod: Adding blockNewUsers to config"
     yq e -i '.blockNewUsers.enabled = true' "${CONFIG_FILE}"
 
-    # shellcheck disable=SC1083
-    for domain in {{repl ConfigOption "user_management_block_passlist" }}
+    for domain in ${USER_MANAGEMENT_BLOCK_PASSLIST}
     do
         echo "Gitpod: Adding domain \"${domain}\" to blockNewUsers config"
         yq e -i ".blockNewUsers.passlist += \"${domain}\"" "${CONFIG_FILE}"
     done
 fi
 
-if [ '{{repl ConfigOptionEquals "advanced_mode_enabled" "1" }}' = "true" ];
+if [ "${ADVANCED_MODE_ENABLED}" = "1" ];
 then
     echo "Gitpod: Applying advanced configuration"
 
-    if [ '{{repl ConfigOptionNotEquals "component_proxy_service_serviceType" "" }}' = "true" ];
+    if [ "${COMPONENT_PROXY_SERVICE_SERVICETYPE}" != "" ];
     then
         # Empty string defaults to LoadBalancer. This maintains backwards compatibility with the deprecated experimental value
         echo "Gitpod: Applying Proxy service type"
-        yq e -i ".components.proxy.service.serviceType = \"{{repl ConfigOption "component_proxy_service_serviceType" }}\"" "${CONFIG_FILE}"
+        yq e -i ".components.proxy.service.serviceType = \"${COMPONENT_PROXY_SERVICE_SERVICETYPE}\"" "${CONFIG_FILE}"
     fi
 
-    if [ '{{repl ConfigOptionNotEquals "customization_patch" "" }}' = "true" ];
+    if [ "${CUSTOMIZATION_PATCH_ENABLED}" = "true" ];
     then
         CUSTOMIZATION='{{repl ConfigOptionData "customization_patch" | Base64Encode }}'
         echo "Gitpod: Applying customization patch ${CUSTOMIZATION}"
@@ -235,7 +234,7 @@ else
 fi
 
 echo "Gitpod: Update platform telemetry value"
-yq eval-all --inplace '.experimental.telemetry.data.platform = "{{repl Distribution }}"' "${CONFIG_FILE}"
+yq eval-all --inplace ".experimental.telemetry.data.platform = \"${DISTRIBUTION}\"" "${CONFIG_FILE}"
 
 echo "Gitpod: Patch Gitpod config"
 base64 -d "${CONFIG_PATCH_FILE}" > /tmp/patch.yaml
@@ -259,9 +258,9 @@ appVersion: "$(/app/installer version | yq e '.version' -)"
 EOF
 
 echo "Gitpod: render Kubernetes manifests"
-/app/installer render -c "${CONFIG_FILE}" --namespace "{{repl Namespace }}" --use-experimental-config > "${GITPOD_OBJECTS}/templates/gitpod.yaml"
+/app/installer render -c "${CONFIG_FILE}" --namespace "${NAMESPACE}" --use-experimental-config > "${GITPOD_OBJECTS}/templates/gitpod.yaml"
 
-if [ '{{repl ConfigOptionEquals "reg_incluster" "1" }}' = "true" ];
+if [ "${REG_INCLUSTER_ENABLED}" = "1" ];
 then
     echo "Gitpod: Add the local registry secret to the in-cluster registry secret"
 
@@ -277,14 +276,14 @@ then
     echo "Gitpod: update the in-cluster registry secret"
     yq eval-all --inplace '(select(.kind == "Secret" and .metadata.name == "builtin-registry-auth") | .data.".dockerconfigjson") |= env(REGISTRY_SECRET)' \
         "${GITPOD_OBJECTS}/templates/gitpod.yaml"
-    fi
+fi
 
 echo "Gitpod: Escape any Golang template values"
 # shellcheck disable=SC2016
 sed -i -r 's/(.*\{\{.*)/{{`\1`}}/' "${GITPOD_OBJECTS}/templates/gitpod.yaml"
 
 # If certificate secret already exists, set the timeout to 5m
-CERT_SECRET=$(kubectl get secrets -n "{{repl Namespace }}" https-certificates -o jsonpath='{.metadata.name}' || echo '')
+CERT_SECRET=$(kubectl get secrets -n "${NAMESPACE}" https-certificates -o jsonpath='{.metadata.name}' || echo '')
 HELM_TIMEOUT="5m"
 if [ "${CERT_SECRET}" = "" ]; then
     HELM_TIMEOUT="1h"
@@ -297,14 +296,14 @@ helm upgrade \
     --cleanup-on-fail \
     --create-namespace \
     --install \
-    --namespace="{{repl Namespace }}" \
+    --namespace="${NAMESPACE}" \
     --reset-values \
     --timeout "${HELM_TIMEOUT}" \
     --wait \
     gitpod \
     "${GITPOD_OBJECTS}"
 
 echo "Gitpod: Restarting installation status job"
-kubectl delete pod -n "{{repl Namespace }}" -l component=gitpod-installer-status || true
+kubectl delete pod -n "${NAMESPACE}" -l component=gitpod-installer-status || true
 
 echo "Gitpod: Installer job finished - goodbye"

install/kots/manifests/gitpod-installer-job.yaml

@@ -51,6 +51,9 @@ spec:
               value: /run/containerd/containerd.sock
             - name: GITPOD_OBJECTS
               value: /tmp/gitpod
+          envFrom:
+            - configMapRef:
+                name: gitpod-kots-config
           command:
             - /app/scripts/kots-install.sh
       volumes:

install/kots/manifests/gitpod-kots-config.yaml

@@ -0,0 +1,58 @@
+# Copyright (c) 2022 Gitpod GmbH. All rights reserved.
+# Licensed under the MIT License. See License-MIT.txt in the project root for license information.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gitpod-kots-config
+  labels:
+    app: gitpod
+    component: gitpod-installer
+data:
+  # General settings
+  CURSOR: repl{{ Cursor | quote }}
+  DISTRIBUTION: repl{{ Distribution | quote }}
+  DOMAIN: repl{{ ConfigOption "domain" | quote }}
+  NAMESPACE: repl{{ Namespace | quote }}
+  OPEN_VSX_URL: repl{{ ConfigOption "openVsxUrl" | quote }}
+  SSH_GATEWAY: repl{{ ConfigOption "ssh_gateway" | quote }}
+
+  # Database settings
+  DB_INCLUSTER_ENABLED: repl{{ ConfigOption "db_incluster" | quote }}
+  DB_CLOUDSQL_ENABLED: repl{{ ConfigOption "db_cloudsql_enabled" | quote }}
+  DB_CLOUDSQL_INSTANCE: repl{{ ConfigOption "db_cloudsql_instance" | quote }}
+
+  # Airgap settings
+  HAS_LOCAL_REGISTRY: repl{{ HasLocalRegistry | quote }}
+  LOCAL_REGISTRY_ADDRESS: repl{{ LocalRegistryAddress | quote }}
+  LOCAL_REGISTRY_HOST: repl{{ LocalRegistryHost | quote }}
+  LOCAL_REGISTRY_IMAGE_PULL_SECRET: repl{{ LocalRegistryImagePullSecret | quote }}
+  IMAGE_PULL_SECRET_NAME: repl{{ ImagePullSecretName | quote }}
+
+  # Registry settings
+  REG_INCLUSTER_ENABLED: repl{{ ConfigOption "reg_incluster" | quote }}
+  REG_URL: repl{{ ConfigOption "reg_url" | quote }}
+  REG_INCLUSTER_STORAGE: repl{{ ConfigOption "reg_incluster_storage" | quote }}
+  REG_INCLUSTER_STORAGE_S3_REGION: repl{{ ConfigOption "reg_incluster_storage_s3_region" | quote }}
+  REG_INCLUSTER_STORAGE_S3_ENDPOINT: repl{{ ConfigOption "reg_incluster_storage_s3_endpoint" | quote }}
+  REG_INCLUSTER_STORAGE_S3_BUCKETNAME: repl{{ ConfigOption "reg_incluster_storage_s3_bucketname" | quote }}
+
+  # Storage settings
+  STORE_PROVIDER: repl{{ ConfigOption "store_provider" | quote }}
+  STORE_REGION: repl{{ ConfigOption "store_region" | quote }}
+  STORE_GCP_PROJECT: repl{{ ConfigOption "store_gcp_project" | quote }}
+  STORE_S3_ENDPOINT: repl{{ ConfigOption "store_s3_endpoint" | quote }}
+  STORE_S3_BUCKET: repl{{ ConfigOption "store_s3_bucket" | quote }}
+
+  # TLS certificate settings
+  CERT_MANAGER_ENABLED: repl{{ ConfigOption "cert_manager_enabled" | quote }}
+  TLS_SELF_SIGNED_ENABLED: repl{{ ConfigOption "tls_self_signed_enabled" | quote }}
+  TLS_USE_CUSTOM_CA_CRT: repl{{ ConfigOptionNotEquals tls_ca_crt" "" | quote }} # Use comparison not value
+
+  # User management settings
+  USER_MANAGEMENT_BLOCK_ENABLED: repl{{ ConfigOption "user_management_block_enabled" | quote }}
+  USER_MANAGEMENT_BLOCK_PASSLIST: repl{{ ConfigOption "user_management_block_passlist" | quote }}
+
+  # Advanced settings
+  ADVANCED_MODE_ENABLED: repl{{ ConfigOption "advanced_mode_enabled" | quote }}
+  COMPONENT_PROXY_SERVICE_SERVICETYPE: repl{{ ConfigOption "component_proxy_service_serviceType" | quote }}