fix(helm): hardening from review

- _helpers.tpl: required guard on image.tag — silent empty deploys can
  no longer happen; helm fails fast with a clear message.
- configmap-nginx: HTTPS fastcgi param uses if_not_empty, so PHP only
  sees HTTPS when X-Forwarded-Proto is actually present.
- deployment-app: add startupProbe with 100s budget so first-boot cache
  warmup doesn't trip liveness.
- deployment-horizon: failureThreshold=5 on the horizon:status probe;
  transient Valkey blips no longer cause restart loops.
- job-migrate: mount oauth-keys so seeders that touch Passport clients
  don't silently fail.
- statefulset-valkey: replace separate password Secret with a
  requirePassword toggle that reads REDIS_PASSWORD from the main chart
  Secret (same Secret app/horizon/scheduler already mount). Liveness
  probe authenticates with the password when set.
- values-us-prod: enable valkey.requirePassword.
- README: add REDIS_PASSWORD to bootstrap procedure.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

helm/ezscale-website/README.md

@@ -37,6 +37,7 @@ openssl rsa -in "$TMP_KEYS/oauth-private.key" -pubout -out "$TMP_KEYS/oauth-publ
 
 # 3. Gather production secrets. Read each one and store in shell vars.
 DB_PASS=$(openssl rand -base64 32 | tr -d '/=+' | cut -c1-32)
+REDIS_PASS=$(openssl rand -base64 32 | tr -d '/=+' | cut -c1-32)
 read -sp "STRIPE_KEY (pk_live_...): " STRIPE_KEY; echo
 read -sp "STRIPE_SECRET (sk_live_...): " STRIPE_SECRET; echo
 read -sp "STRIPE_WEBHOOK_SECRET (whsec_...): " STRIPE_WEBHOOK; echo
@@ -54,6 +55,7 @@ kubectl create secret generic ezscale-website-secrets \
   --namespace ezscale \
   --from-literal=APP_KEY="$APP_KEY" \
   --from-literal=DB_PASSWORD="$DB_PASS" \
+  --from-literal=REDIS_PASSWORD="$REDIS_PASS" \
   --from-literal=STRIPE_KEY="$STRIPE_KEY" \
   --from-literal=STRIPE_SECRET="$STRIPE_SECRET" \
   --from-literal=STRIPE_WEBHOOK_SECRET="$STRIPE_WEBHOOK" \

helm/ezscale-website/templates/_helpers.tpl

@@ -35,7 +35,8 @@ Usage: {{ include "ezscale-website.image" (dict "ctx" . "role" "app") }}
 */}}
 {{- define "ezscale-website.image" -}}
 {{- $ctx := .ctx -}}
-{{- printf "%s/%s:%s-%s" $ctx.Values.image.registry $ctx.Values.image.repository .role $ctx.Values.image.tag -}}
+{{- $tag := required "image.tag is required (set via --set image.tag=vX.Y.Z)" $ctx.Values.image.tag -}}
+{{- printf "%s/%s:%s-%s" $ctx.Values.image.registry $ctx.Values.image.repository .role $tag -}}
 {{- end -}}
 
 {{/* Secret name (existing or generated) */}}

helm/ezscale-website/templates/configmap-nginx.yaml

@@ -34,7 +34,10 @@ data:
             fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
             fastcgi_param DOCUMENT_ROOT $realpath_root;
             fastcgi_param HTTP_PROXY "";
-            fastcgi_param HTTPS $http_x_forwarded_proto;
+            # Pass HTTPS to PHP only when X-Forwarded-Proto is non-empty.
+            # if_not_empty avoids the param being set to "" when the header
+            # is missing (which would falsely satisfy isset($_SERVER['HTTPS'])).
+            fastcgi_param HTTPS $http_x_forwarded_proto if_not_empty;
             fastcgi_buffers 16 16k;
             fastcgi_buffer_size 32k;
             fastcgi_read_timeout 300;

helm/ezscale-website/templates/deployment-app.yaml

@@ -51,11 +51,19 @@ spec:
             - name: nginx-config
               mountPath: /etc/nginx/conf.d
               readOnly: true
+          # Startup probe gives the app up to 100s for first-boot work
+          # (config:cache + route:cache + view:cache + opcache warmup) before
+          # liveness takes over.
+          startupProbe:
+            httpGet:
+              path: {{ .Values.healthCheck.livenessPath }}
+              port: http
+            failureThreshold: 20
+            periodSeconds: 5
           livenessProbe:
             httpGet:
               path: {{ .Values.healthCheck.livenessPath }}
               port: http
-            initialDelaySeconds: {{ .Values.healthCheck.initialDelaySeconds }}
             periodSeconds: {{ .Values.healthCheck.periodSeconds }}
             timeoutSeconds: {{ .Values.healthCheck.timeoutSeconds }}
             failureThreshold: {{ .Values.healthCheck.failureThreshold }}
@@ -63,7 +71,6 @@ spec:
             httpGet:
               path: {{ .Values.healthCheck.readinessPath }}
               port: http
-            initialDelaySeconds: 5
             periodSeconds: 5
         - name: app
           image: {{ include "ezscale-website.image" (dict "ctx" . "role" "app") }}

helm/ezscale-website/templates/deployment-horizon.yaml

@@ -41,6 +41,8 @@ spec:
               readOnly: true
           resources:
             {{- toYaml .Values.horizon.resources | nindent 12 }}
+          # horizon:status hits Redis. failureThreshold: 5 + periodSeconds: 30
+          # gives 150s of tolerance for transient Valkey blips before restart.
           livenessProbe:
             exec:
               command:
@@ -50,6 +52,7 @@ spec:
             initialDelaySeconds: 30
             periodSeconds: 30
             timeoutSeconds: 10
+            failureThreshold: 5
       volumes:
         - name: oauth-keys
           secret:

helm/ezscale-website/templates/job-migrate.yaml

@@ -41,4 +41,18 @@ spec:
                 name: {{ include "ezscale-website.fullname" . }}-env
             - secretRef:
                 name: {{ include "ezscale-website.secretName" . }}
+          volumeMounts:
+            - name: oauth-keys
+              mountPath: /var/www/html/secrets
+              readOnly: true
+      volumes:
+        - name: oauth-keys
+          secret:
+            secretName: {{ include "ezscale-website.secretName" . }}
+            items:
+              - key: oauth-private.key
+                path: oauth-private.key
+              - key: oauth-public.key
+                path: oauth-public.key
+            optional: true
 {{- end }}

helm/ezscale-website/templates/statefulset-valkey.yaml

@@ -1,18 +1,4 @@
 {{- if .Values.valkey.enabled }}
-{{- $secretName := printf "%s-valkey" (include "ezscale-website.fullname" .) }}
-{{- if .Values.valkey.password }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ $secretName }}
-  labels: {{- include "ezscale-website.labels" . | nindent 4 }}
-  annotations:
-    helm.sh/resource-policy: keep
-type: Opaque
-stringData:
-  password: {{ .Values.valkey.password | quote }}
----
-{{- end }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -53,6 +39,10 @@ spec:
       containers:
         - name: valkey
           image: {{ .Values.valkey.image }}
+          # When requirePassword is true, REDIS_PASSWORD is sourced from the
+          # main chart Secret (same Secret the app/horizon/scheduler pods read
+          # via envFrom). Local dev can put it in secret.values; prod
+          # bootstraps it manually per the chart README.
           command:
             - valkey-server
             - --appendonly
@@ -61,17 +51,17 @@ spec:
             - {{ .Values.valkey.maxmemory | quote }}
             - --maxmemory-policy
             - allkeys-lru
-            {{- if .Values.valkey.password }}
+            {{- if .Values.valkey.requirePassword }}
             - --requirepass
             - $(REDIS_PASSWORD)
             {{- end }}
-          {{- if .Values.valkey.password }}
+          {{- if .Values.valkey.requirePassword }}
           env:
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: {{ $secretName }}
+                  name: {{ include "ezscale-website.secretName" . }}
-                  key: password
+                  key: REDIS_PASSWORD
           {{- end }}
           ports:
             - name: redis
@@ -81,7 +71,11 @@ spec:
               mountPath: /data
           livenessProbe:
             exec:
+              {{- if .Values.valkey.requirePassword }}
+              command: ["sh", "-c", "valkey-cli -a \"$REDIS_PASSWORD\" --no-auth-warning ping"]
+              {{- else }}
               command: ["valkey-cli", "ping"]
+              {{- end }}
             initialDelaySeconds: 10
             periodSeconds: 10
   volumeClaimTemplates:

helm/ezscale-website/values-us-prod.yaml

@@ -43,9 +43,11 @@ mariadb:
   database: ezscale_billing
   username: ezscale_billing_app
 
-# Per-app Valkey for sessions/cache/queue.
+# Per-app Valkey for sessions/cache/queue. requirePassword=true means
+# REDIS_PASSWORD must be present in ezscale-website-secrets.
 valkey:
   enabled: true
+  requirePassword: true
   storage:
     size: 10Gi
     storageClassName: longhorn

helm/ezscale-website/values.yaml

@@ -77,7 +77,11 @@ mariadb:
 valkey:
   enabled: true
   image: valkey/valkey:9-alpine
-  password: ""              # if empty, chart generates a random secret
+  # When true, valkey runs with --requirepass and reads REDIS_PASSWORD from
+  # the main chart Secret (same key the app/horizon/scheduler pods read via
+  # envFrom). The Secret MUST contain a REDIS_PASSWORD key — bootstrap it
+  # alongside APP_KEY in production, or include it in secret.values for dev.
+  requirePassword: false
   maxmemory: "1gb"
   storage:
     size: 5Gi