From 34af8e4f57c449837a3f005697212ba1ebf25509 Mon Sep 17 00:00:00 2001 From: Waleed Latif Date: Wed, 28 Jan 2026 10:26:19 -0800 Subject: [PATCH 1/3] fix(helm): move rotationPolicy under privateKey for cert-manager compatibility --- helm/sim/templates/certificate-postgresql.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/helm/sim/templates/certificate-postgresql.yaml b/helm/sim/templates/certificate-postgresql.yaml index bbe390adf5..84f507cafd 100644 --- a/helm/sim/templates/certificate-postgresql.yaml +++ b/helm/sim/templates/certificate-postgresql.yaml @@ -11,12 +11,12 @@ spec: duration: {{ .Values.postgresql.tls.duration | default "87600h" }} # Default: 10 years renewBefore: {{ .Values.postgresql.tls.renewBefore | default "2160h" }} # Default: 90 days before expiry isCA: false - {{- if .Values.postgresql.tls.rotationPolicy }} - rotationPolicy: {{ .Values.postgresql.tls.rotationPolicy }} - {{- end }} privateKey: algorithm: {{ .Values.postgresql.tls.privateKey.algorithm | default "RSA" }} size: {{ .Values.postgresql.tls.privateKey.size | default 4096 }} + {{- if .Values.postgresql.tls.rotationPolicy }} + rotationPolicy: {{ .Values.postgresql.tls.rotationPolicy }} + {{- end }} usages: - server auth - client auth From afeadeac83b9db3d7c8e7dba604ef65b054ba335 Mon Sep 17 00:00:00 2001 From: Waleed Latif Date: Wed, 28 Jan 2026 10:30:24 -0800 Subject: [PATCH 2/3] docs(helm): add reclaimPolicy Retain guidance for production database storage --- helm/sim/examples/values-azure.yaml | 19 ++++++++++++++++++- helm/sim/examples/values-production.yaml | 5 +++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/helm/sim/examples/values-azure.yaml b/helm/sim/examples/values-azure.yaml index 982605fa7b..8d4145efc6 100644 --- a/helm/sim/examples/values-azure.yaml +++ b/helm/sim/examples/values-azure.yaml @@ -6,6 +6,22 @@ global: imageRegistry: "ghcr.io" # Use "managed-csi-premium" for Premium SSD (requires Premium storage-capable VMs like Standard_DS*) # Use "managed-csi" for Standard SSD (works with all VM types) + # + # IMPORTANT: For production database workloads, create a StorageClass with reclaimPolicy: Retain + # to protect volumes from accidental deletion (e.g., kubectl delete namespace): + # + # apiVersion: storage.k8s.io/v1 + # kind: StorageClass + # metadata: + # name: managed-csi-premium-retain + # provisioner: disk.csi.azure.com + # parameters: + # skuname: Premium_LRS + # reclaimPolicy: Retain + # volumeBindingMode: WaitForFirstConsumer + # allowVolumeExpansion: true + # + # Then use: storageClass: "managed-csi-premium-retain" storageClass: "managed-csi" # Main application @@ -113,9 +129,10 @@ postgresql: cpu: "500m" # Persistent storage using Azure Managed Disk + # For production, use a StorageClass with reclaimPolicy: Retain (see global.storageClass comment) persistence: enabled: true - storageClass: "managed-csi" + storageClass: "managed-csi-premium-retain" size: 10Gi # SSL/TLS configuration (requires cert-manager to be installed) diff --git a/helm/sim/examples/values-production.yaml b/helm/sim/examples/values-production.yaml index 794afa4ac0..f09cfb5d62 100644 --- a/helm/sim/examples/values-production.yaml +++ b/helm/sim/examples/values-production.yaml @@ -1,9 +1,14 @@ # Production values for Sim # This configuration is suitable for production deployments +# +# IMPORTANT: For database volumes, use a StorageClass with reclaimPolicy: Retain +# to protect data from accidental deletion. The default "Delete" policy will +# destroy the underlying disk when a PVC is deleted (including via namespace deletion). # Global configuration global: imageRegistry: "ghcr.io" + # Use a StorageClass with reclaimPolicy: Retain for production database workloads storageClass: "managed-csi-premium" # Main application From c64458827ea2e74d39831e88972e80905b8f3630 Mon Sep 17 00:00:00 2001 From: Waleed Latif Date: Wed, 28 Jan 2026 10:41:29 -0800 Subject: [PATCH 3/3] fix(helm): prevent empty branding ConfigMap creation --- helm/sim/examples/values-azure.yaml | 24 ++++------------------ helm/sim/examples/values-production.yaml | 6 +----- helm/sim/templates/configmap-branding.yaml | 2 +- helm/sim/templates/deployment-app.yaml | 10 +++++---- 4 files changed, 12 insertions(+), 30 deletions(-) diff --git a/helm/sim/examples/values-azure.yaml b/helm/sim/examples/values-azure.yaml index 8d4145efc6..a11b55adc9 100644 --- a/helm/sim/examples/values-azure.yaml +++ b/helm/sim/examples/values-azure.yaml @@ -4,24 +4,9 @@ # Global configuration global: imageRegistry: "ghcr.io" - # Use "managed-csi-premium" for Premium SSD (requires Premium storage-capable VMs like Standard_DS*) - # Use "managed-csi" for Standard SSD (works with all VM types) - # - # IMPORTANT: For production database workloads, create a StorageClass with reclaimPolicy: Retain - # to protect volumes from accidental deletion (e.g., kubectl delete namespace): - # - # apiVersion: storage.k8s.io/v1 - # kind: StorageClass - # metadata: - # name: managed-csi-premium-retain - # provisioner: disk.csi.azure.com - # parameters: - # skuname: Premium_LRS - # reclaimPolicy: Retain - # volumeBindingMode: WaitForFirstConsumer - # allowVolumeExpansion: true - # - # Then use: storageClass: "managed-csi-premium-retain" + # Use "managed-csi-premium" for Premium SSD, "managed-csi" for Standard SSD + # IMPORTANT: For production, use a StorageClass with reclaimPolicy: Retain + # to protect database volumes from accidental deletion. storageClass: "managed-csi" # Main application @@ -129,10 +114,9 @@ postgresql: cpu: "500m" # Persistent storage using Azure Managed Disk - # For production, use a StorageClass with reclaimPolicy: Retain (see global.storageClass comment) persistence: enabled: true - storageClass: "managed-csi-premium-retain" + storageClass: "managed-csi" size: 10Gi # SSL/TLS configuration (requires cert-manager to be installed) diff --git a/helm/sim/examples/values-production.yaml b/helm/sim/examples/values-production.yaml index f09cfb5d62..9874cb1a51 100644 --- a/helm/sim/examples/values-production.yaml +++ b/helm/sim/examples/values-production.yaml @@ -1,14 +1,10 @@ # Production values for Sim # This configuration is suitable for production deployments -# -# IMPORTANT: For database volumes, use a StorageClass with reclaimPolicy: Retain -# to protect data from accidental deletion. The default "Delete" policy will -# destroy the underlying disk when a PVC is deleted (including via namespace deletion). # Global configuration global: imageRegistry: "ghcr.io" - # Use a StorageClass with reclaimPolicy: Retain for production database workloads + # For production, use a StorageClass with reclaimPolicy: Retain storageClass: "managed-csi-premium" # Main application diff --git a/helm/sim/templates/configmap-branding.yaml b/helm/sim/templates/configmap-branding.yaml index 4e22d3a2b5..ae05c4dd82 100644 --- a/helm/sim/templates/configmap-branding.yaml +++ b/helm/sim/templates/configmap-branding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.branding.enabled }} +{{- if and .Values.branding.enabled (or .Values.branding.files .Values.branding.binaryFiles) }} --- # Branding ConfigMap # Mounts custom branding assets (logos, CSS, etc.) into the application diff --git a/helm/sim/templates/deployment-app.yaml b/helm/sim/templates/deployment-app.yaml index 5362dd43e8..31be48aa37 100644 --- a/helm/sim/templates/deployment-app.yaml +++ b/helm/sim/templates/deployment-app.yaml @@ -110,9 +110,10 @@ spec: {{- end }} {{- include "sim.resources" .Values.app | nindent 10 }} {{- include "sim.securityContext" .Values.app | nindent 10 }} - {{- if or .Values.branding.enabled .Values.extraVolumeMounts .Values.app.extraVolumeMounts }} + {{- $hasBranding := and .Values.branding.enabled (or .Values.branding.files .Values.branding.binaryFiles) }} + {{- if or $hasBranding .Values.extraVolumeMounts .Values.app.extraVolumeMounts }} volumeMounts: - {{- if .Values.branding.enabled }} + {{- if $hasBranding }} - name: branding mountPath: {{ .Values.branding.mountPath | default "/app/public/branding" }} readOnly: true @@ -124,9 +125,10 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} {{- end }} - {{- if or .Values.branding.enabled .Values.extraVolumes .Values.app.extraVolumes }} + {{- $hasBranding := and .Values.branding.enabled (or .Values.branding.files .Values.branding.binaryFiles) }} + {{- if or $hasBranding .Values.extraVolumes .Values.app.extraVolumes }} volumes: - {{- if .Values.branding.enabled }} + {{- if $hasBranding }} - name: branding configMap: name: {{ include "sim.fullname" . }}-branding