fix(helm): hardening from review

- _helpers.tpl: required guard on image.tag — silent empty deploys can
  no longer happen; helm fails fast with a clear message.
- configmap-nginx: HTTPS fastcgi param uses if_not_empty, so PHP only
  sees HTTPS when X-Forwarded-Proto is actually present.
- deployment-app: add startupProbe with 100s budget so first-boot cache
  warmup doesn't trip liveness.
- deployment-horizon: failureThreshold=5 on the horizon:status probe;
  transient Valkey blips no longer cause restart loops.
- job-migrate: mount oauth-keys so seeders that touch Passport clients
  don't silently fail.
- statefulset-valkey: replace separate password Secret with a
  requirePassword toggle that reads REDIS_PASSWORD from the main chart
  Secret (same Secret app/horizon/scheduler already mount). Liveness
  probe authenticates with the password when set.
- values-us-prod: enable valkey.requirePassword.
- README: add REDIS_PASSWORD to bootstrap procedure.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

helm/ezscale-website/templates/statefulset-valkey.yaml

@@ -1,18 +1,4 @@
 {{- if .Values.valkey.enabled }}
-{{- $secretName := printf "%s-valkey" (include "ezscale-website.fullname" .) }}
-{{- if .Values.valkey.password }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ $secretName }}
-  labels: {{- include "ezscale-website.labels" . | nindent 4 }}
-  annotations:
-    helm.sh/resource-policy: keep
-type: Opaque
-stringData:
-  password: {{ .Values.valkey.password | quote }}
----
-{{- end }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -53,6 +39,10 @@ spec:
       containers:
         - name: valkey
           image: {{ .Values.valkey.image }}
+          # When requirePassword is true, REDIS_PASSWORD is sourced from the
+          # main chart Secret (same Secret the app/horizon/scheduler pods read
+          # via envFrom). Local dev can put it in secret.values; prod
+          # bootstraps it manually per the chart README.
           command:
             - valkey-server
             - --appendonly
@@ -61,17 +51,17 @@ spec:
             - {{ .Values.valkey.maxmemory | quote }}
             - --maxmemory-policy
             - allkeys-lru
-            {{- if .Values.valkey.password }}
+            {{- if .Values.valkey.requirePassword }}
             - --requirepass
             - $(REDIS_PASSWORD)
             {{- end }}
-          {{- if .Values.valkey.password }}
+          {{- if .Values.valkey.requirePassword }}
           env:
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: {{ $secretName }}
-                  key: password
+                  name: {{ include "ezscale-website.secretName" . }}
+                  key: REDIS_PASSWORD
           {{- end }}
           ports:
             - name: redis
@@ -81,7 +71,11 @@ spec:
               mountPath: /data
           livenessProbe:
             exec:
+              {{- if .Values.valkey.requirePassword }}
+              command: ["sh", "-c", "valkey-cli -a \"$REDIS_PASSWORD\" --no-auth-warning ping"]
+              {{- else }}
               command: ["valkey-cli", "ping"]
+              {{- end }}
             initialDelaySeconds: 10
             periodSeconds: 10
   volumeClaimTemplates: