fix(helm): move rotationPolicy under privateKey for cert-manager compatibility

helm/sim/examples/values-azure.yaml

@@ -6,6 +6,22 @@ global:
   imageRegistry: "ghcr.io"
   # Use "managed-csi-premium" for Premium SSD (requires Premium storage-capable VMs like Standard_DS*)
   # Use "managed-csi" for Standard SSD (works with all VM types)
+  #
+  # IMPORTANT: For production database workloads, create a StorageClass with reclaimPolicy: Retain
+  # to protect volumes from accidental deletion (e.g., kubectl delete namespace):
+  #
+  #   apiVersion: storage.k8s.io/v1
+  #   kind: StorageClass
+  #   metadata:
+  #     name: managed-csi-premium-retain
+  #   provisioner: disk.csi.azure.com
+  #   parameters:
+  #     skuname: Premium_LRS
+  #   reclaimPolicy: Retain
+  #   volumeBindingMode: WaitForFirstConsumer
+  #   allowVolumeExpansion: true
+  #
+  # Then use: storageClass: "managed-csi-premium-retain"
   storageClass: "managed-csi"
 
 # Main application
@@ -113,9 +129,10 @@ postgresql:
       cpu: "500m"
 
   # Persistent storage using Azure Managed Disk
+  # For production, use a StorageClass with reclaimPolicy: Retain (see global.storageClass comment)
   persistence:
     enabled: true
-    storageClass: "managed-csi"
+    storageClass: "managed-csi-premium-retain"
     size: 10Gi
 
   # SSL/TLS configuration (requires cert-manager to be installed)

helm/sim/examples/values-production.yaml

@@ -1,9 +1,14 @@
 # Production values for Sim
 # This configuration is suitable for production deployments
+#
+# IMPORTANT: For database volumes, use a StorageClass with reclaimPolicy: Retain
+# to protect data from accidental deletion. The default "Delete" policy will
+# destroy the underlying disk when a PVC is deleted (including via namespace deletion).
 
 # Global configuration
 global:
   imageRegistry: "ghcr.io"
+  # Use a StorageClass with reclaimPolicy: Retain for production database workloads
   storageClass: "managed-csi-premium"
 
 # Main application

helm/sim/templates/certificate-postgresql.yaml

@@ -11,12 +11,12 @@ spec:
   duration: {{ .Values.postgresql.tls.duration | default "87600h" }}  # Default: 10 years
   renewBefore: {{ .Values.postgresql.tls.renewBefore | default "2160h" }}  # Default: 90 days before expiry
   isCA: false
-  {{- if .Values.postgresql.tls.rotationPolicy }}
-  rotationPolicy: {{ .Values.postgresql.tls.rotationPolicy }}
-  {{- end }}
   privateKey:
     algorithm: {{ .Values.postgresql.tls.privateKey.algorithm | default "RSA" }}
     size: {{ .Values.postgresql.tls.privateKey.size | default 4096 }}
+    {{- if .Values.postgresql.tls.rotationPolicy }}
+    rotationPolicy: {{ .Values.postgresql.tls.rotationPolicy }}
+    {{- end }}
   usages:
     - server auth
     - client auth