In the case of the API service running in the same pod with Scalar Manager web doesn't have the persistent endpoints enabled then we can config this baseUrl point to another instance of the Scalar Manager API (in other clusters) to do authentication. Note that the JWT public key need to be configured the same in the API instances

Add a service for API in case we want to expose the API for cross Scalar Manager authentication

Sorry, I don't know the details of cross Scalar Manager authentication. If I remember correctly, we planned to add the simple authentication feature as a first step on the Scalar Manager Web side only to avoid anonymous login.

So, could you please elaborate on the details of cross Scalar Manager authentication?

I am not able to judge whether this service resource is necessary or not and configuration is proper or not without the detailed information of cross Scalar Manager authentication.

Ah, let me explain it a bit more based on the current spec we have.
The cross authentication is in the case: We have two instances of the SM (Scalar Manager) in different clusters for example, one is deployed with a configured database and it has the authentication endpoints, once login the user will have the JWT tokens to access other protected endpoints from that instance (e.g pause, schedule pause). The other instance is deployed without database config but it is configured with the JWT public key sharing the same as instance 1 so this instance is able to verify requests with the JWT token in the header issued by instance 1, basically client (web UI) can login to SM 1 and access to both SM 1 and SM 2, of course the SM 2 API need to be viable to the SM 1.
Please correct me if I miss something @ypeckstadt
I made a PR for the docs update that contains a bit more info about deployment configuration here https://github.com/scalar-labs/docs-internal-orchestration/pull/86

In the application.properties, it seems that you use the term authentication as a property name. However, in the values.yaml file, you use authorization.

Is there any reason why you use the term authorization here?

Sorry if I missed something, but I think it would be better to use the same term authentication to avoid unnecessary confusion.

Actually in the application.properties I also used the authorization in app.authorization.enabled config. The authentication word is used in the prefix for the JWT config only authentication.providers.static-jwt.xxx.
The main reason that authorization makes more sense in our case that the API can be deployed without authentication endpoints but it is still able to verify the request via the JWT in the Authorization header from the requests.

Are these environment variables mandatory?

Listing a lot of environment variables here might cause increasing maintenance costs for Helm Chart. This is my concern.

So, I think it would be better to set configurations via application.properties instead of environment variables. In such a case, we might not need to update the Helm Chart even if you add/change some configurations on the Scalar Manager side. It can reduce the maintenance costs in the future.

These environment variables are mandatory, but they are for the web container. For the api container we still keep the config in the application.properties as it was.
The config for the web container would not be many I think, for now we will have these new three vars.

Sorry, I don't know the details of cross Scalar Manager authentication. If I remember correctly, we planned to add the simple authentication feature as a first step on the Scalar Manager Web side only to avoid anonymous login.

So, could you please elaborate on the details of cross Scalar Manager authentication?

I am not able to judge whether this service resource is necessary or not and configuration is proper or not without the detailed information of cross Scalar Manager authentication.

I think it might be more understandable for users to use web.service.*** and api.service.*** instead of service.web.*** and service.api.***.

This is because Scalar Manager Web and Scalar Manager API are deployed as different containers respectively. (I know they are deployed in one pod, but the components are separated in the pod.)

Also, I think it would be better to combine Scalar Manager Web configurations under the web: key and combine Scalar Manager API configurations under the api: key. In this pattern, users can know These configurations are for Web and These configurations are for API clearly.

What do you think?

Thanks for the suggestion, that makes sense. Let me refactor them.

I think this update breaks backward compatibility. This is because the existing configuration service.type and service.port will not work after this update.

Is my understanding correct?

Also, if this backward incompatible update is intended, do you expect to release this new update as a new major version release? I want to confirm it, just in case.

Yes, it will break the backward compatibility as the config will be moved under the web and I think we will make a new major version release. One other way if we want to keep the backward compatibility is keeping the service at the top level as it was for the web and add only a service config for the API under the api config, but that makes the config looks not be in the same style. WDYT?