feat(licence): opt-in licence management via --licence-secret flag

[flemzord]

Summary

• Mark EE modules: Auth, Orchestration, Search, Wallets, Webhooks now have IsEE() = true
• Opt-in licence management: when --licence-secret is passed, licence env vars (LICENCE_TOKEN, LICENCE_ISSUER, LICENCE_VALIDATE_TICK) are injected into EE module pods; when not passed (default), no licence enforcement
• Remove LICENCE_ENABLED env var: modules detect licence activation from the presence of LICENCE_TOKEN instead
• Remove LICENCE_CLUSTER_ID: no longer needed (kube-system namespace lookup removed)
• Payments conditional EE image: uses payments-ee image when licence secret is configured and version >= v3.2.0-beta.0, falls back to payments (CE) otherwise
• Startup log: operator logs whether licence management is enabled or disabled at boot
• Helm chart bump: 3.7.1 → 3.8.0

Test plan

• Deploy operator without --licence-secret → all modules deploy normally, no licence env vars injected, log shows "licence management disabled"
• Deploy operator with --licence-secret=<secret> → EE modules get LICENCE_TOKEN/LICENCE_ISSUER env vars, log shows "licence management enabled"
• Payments uses payments image without licence, payments-ee with licence (version >= v3.2.0-beta.0)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 826e9e0 and 7c867d7.

⛔ Files ignored due to path filters (5)

• config/crd/bases/formance.com_auths.yaml is excluded by !**/*.yaml
• helm/crds/Chart.yaml is excluded by !**/*.yaml
• helm/crds/templates/crds/apiextensions.k8s.io_v1_customresourcedefinition_auths.formance.com.yaml is excluded by !**/*.yaml
• helm/operator/Chart.lock is excluded by !**/*.lock, !**/*.lock
• helm/operator/Chart.yaml is excluded by !**/*.yaml

📒 Files selected for processing (8)

• api/formance.com/v1beta1/auth_types.go
• api/formance.com/v1beta1/orchestration_types.go
• api/formance.com/v1beta1/search_types.go
• api/formance.com/v1beta1/wallets_types.go
• api/formance.com/v1beta1/webhooks_types.go
• cmd/main.go
• internal/resources/licence/licence.go
• internal/resources/payments/init.go

💤 Files with no reviewable changes (1)

• internal/resources/licence/licence.go

🚧 Files skipped from review as they are similar to previous changes (4)

• api/formance.com/v1beta1/search_types.go
• api/formance.com/v1beta1/wallets_types.go
• api/formance.com/v1beta1/orchestration_types.go
• internal/resources/payments/init.go

---

Walkthrough

Multiple API resource types were marked as Enterprise Edition by changing their IsEE() results to true; licence environment-variable handling was simplified; startup now logs licence status; payments image selection was made licence- and version-aware.

Changes

Cohort / File(s)	Summary
API EE markers api/formance.com/v1beta1/auth_types.go, api/formance.com/v1beta1/orchestration_types.go, api/formance.com/v1beta1/search_types.go, api/formance.com/v1beta1/wallets_types.go, api/formance.com/v1beta1/webhooks_types.go	Updated IsEE() methods to return true for these resource types; auth_types.go also adds a kubebuilder metadata label is-ee=true.
Licence management & env vars cmd/main.go, internal/resources/licence/licence.go	Added conditional startup logging in cmd/main.go showing licence status. Removed logic that injected LICENCE_ENABLED and LICENCE_CLUSTER_ID env vars and removed an unused import from licence.go.
Payments image selection internal/resources/payments/init.go	Reconciler now chooses image name based on LicenceSecret and version: defaults to payments, switches to payments-ee when licence present and version is invalid or ≥ v3.2.0-beta.0. Uses selected image name for subsequent image lookup.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰🌿 I hop and peek at code today,
EE flags flipped bright as day,
Licence whispers logged at start,
Payments choose their proper part,
Hooray — a tidy, hoppity chart!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: introducing opt-in licence management via a --licence-secret flag, which aligns with the primary objectives of marking EE modules and making licence management optional.
Description check	✅ Passed	The description comprehensively covers all significant changes including EE module marking, opt-in licence management, environment variable changes, conditional image selection, and the test plan, directly relating to the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/licence-management-opt-in

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}