fix(helm): move rotationPolicy under privateKey for cert-manager compatibility (#3046)

* fix(helm): move rotationPolicy under privateKey for cert-manager compatibility

* docs(helm): add reclaimPolicy Retain guidance for production database storage

* fix(helm): prevent empty branding ConfigMap creation

helm/sim/examples/values-azure.yaml

@@ -4,8 +4,9 @@
 # Global configuration
 global:
   imageRegistry: "ghcr.io"
-  # Use "managed-csi-premium" for Premium SSD (requires Premium storage-capable VMs like Standard_DS*)
-  # Use "managed-csi" for Standard SSD (works with all VM types)
+  # Use "managed-csi-premium" for Premium SSD, "managed-csi" for Standard SSD
+  # IMPORTANT: For production, use a StorageClass with reclaimPolicy: Retain
+  # to protect database volumes from accidental deletion.
   storageClass: "managed-csi"
 
 # Main application

helm/sim/examples/values-production.yaml

@@ -4,6 +4,7 @@
 # Global configuration
 global:
   imageRegistry: "ghcr.io"
+  # For production, use a StorageClass with reclaimPolicy: Retain
   storageClass: "managed-csi-premium"
 
 # Main application

helm/sim/templates/certificate-postgresql.yaml

@@ -11,12 +11,12 @@ spec:
   duration: {{ .Values.postgresql.tls.duration | default "87600h" }}  # Default: 10 years
   renewBefore: {{ .Values.postgresql.tls.renewBefore | default "2160h" }}  # Default: 90 days before expiry
   isCA: false
-  {{- if .Values.postgresql.tls.rotationPolicy }}
-  rotationPolicy: {{ .Values.postgresql.tls.rotationPolicy }}
-  {{- end }}
   privateKey:
     algorithm: {{ .Values.postgresql.tls.privateKey.algorithm | default "RSA" }}
     size: {{ .Values.postgresql.tls.privateKey.size | default 4096 }}
+    {{- if .Values.postgresql.tls.rotationPolicy }}
+    rotationPolicy: {{ .Values.postgresql.tls.rotationPolicy }}
+    {{- end }}
   usages:
     - server auth
     - client auth

helm/sim/templates/configmap-branding.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.branding.enabled }}
+{{- if and .Values.branding.enabled (or .Values.branding.files .Values.branding.binaryFiles) }}
 ---
 # Branding ConfigMap
 # Mounts custom branding assets (logos, CSS, etc.) into the application

helm/sim/templates/deployment-app.yaml

@@ -110,9 +110,10 @@ spec:
           {{- end }}
           {{- include "sim.resources" .Values.app | nindent 10 }}
           {{- include "sim.securityContext" .Values.app | nindent 10 }}
-          {{- if or .Values.branding.enabled .Values.extraVolumeMounts .Values.app.extraVolumeMounts }}
+          {{- $hasBranding := and .Values.branding.enabled (or .Values.branding.files .Values.branding.binaryFiles) }}
+          {{- if or $hasBranding .Values.extraVolumeMounts .Values.app.extraVolumeMounts }}
           volumeMounts:
-            {{- if .Values.branding.enabled }}
+            {{- if $hasBranding }}
             - name: branding
               mountPath: {{ .Values.branding.mountPath | default "/app/public/branding" }}
               readOnly: true
@@ -124,9 +125,10 @@ spec:
             {{- toYaml . | nindent 12 }}
             {{- end }}
           {{- end }}
-      {{- if or .Values.branding.enabled .Values.extraVolumes .Values.app.extraVolumes }}
+      {{- $hasBranding := and .Values.branding.enabled (or .Values.branding.files .Values.branding.binaryFiles) }}
+      {{- if or $hasBranding .Values.extraVolumes .Values.app.extraVolumes }}
       volumes:
-        {{- if .Values.branding.enabled }}
+        {{- if $hasBranding }}
         - name: branding
           configMap:
             name: {{ include "sim.fullname" . }}-branding