fix(helm): hardening from review

- _helpers.tpl: required guard on image.tag — silent empty deploys can
  no longer happen; helm fails fast with a clear message.
- configmap-nginx: HTTPS fastcgi param uses if_not_empty, so PHP only
  sees HTTPS when X-Forwarded-Proto is actually present.
- deployment-app: add startupProbe with 100s budget so first-boot cache
  warmup doesn't trip liveness.
- deployment-horizon: failureThreshold=5 on the horizon:status probe;
  transient Valkey blips no longer cause restart loops.
- job-migrate: mount oauth-keys so seeders that touch Passport clients
  don't silently fail.
- statefulset-valkey: replace separate password Secret with a
  requirePassword toggle that reads REDIS_PASSWORD from the main chart
  Secret (same Secret app/horizon/scheduler already mount). Liveness
  probe authenticates with the password when set.
- values-us-prod: enable valkey.requirePassword.
- README: add REDIS_PASSWORD to bootstrap procedure.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

helm/ezscale-website/README.md

@@ -37,6 +37,7 @@ openssl rsa -in "$TMP_KEYS/oauth-private.key" -pubout -out "$TMP_KEYS/oauth-publ
 
 # 3. Gather production secrets. Read each one and store in shell vars.
 DB_PASS=$(openssl rand -base64 32 | tr -d '/=+' | cut -c1-32)
+REDIS_PASS=$(openssl rand -base64 32 | tr -d '/=+' | cut -c1-32)
 read -sp "STRIPE_KEY (pk_live_...): " STRIPE_KEY; echo
 read -sp "STRIPE_SECRET (sk_live_...): " STRIPE_SECRET; echo
 read -sp "STRIPE_WEBHOOK_SECRET (whsec_...): " STRIPE_WEBHOOK; echo
@@ -54,6 +55,7 @@ kubectl create secret generic ezscale-website-secrets \
   --namespace ezscale \
   --from-literal=APP_KEY="$APP_KEY" \
   --from-literal=DB_PASSWORD="$DB_PASS" \
+  --from-literal=REDIS_PASSWORD="$REDIS_PASS" \
   --from-literal=STRIPE_KEY="$STRIPE_KEY" \
   --from-literal=STRIPE_SECRET="$STRIPE_SECRET" \
   --from-literal=STRIPE_WEBHOOK_SECRET="$STRIPE_WEBHOOK" \