work

ops/deployment/export/helm-overlays.md

@@ -0,0 +1,35 @@
+# Export Center Helm Overlays (DEPLOY-EXPORT-35-001)
+
+## Values files (download-only)
+- `deploy/helm/stellaops/values-export.yaml` (add) with:
+  - `exportcenter:`
+    - `image.repository`: `registry.stella-ops.org/export-center`
+    - `image.tag`: set via pipeline
+    - `objectStorage.endpoint`: `http://minio:9000`
+    - `objectStorage.bucket`: `export-prod`
+    - `objectStorage.accessKeySecret`: `exportcenter-minio`
+    - `objectStorage.secretKeySecret`: `exportcenter-minio`
+    - `signing.kmsKey`: `exportcenter-kms`
+    - `signing.kmsRegion`: `us-east-1`
+    - `dsse.enabled`: true
+
+## Secrets
+- KMS signing: create secret `exportcenter-kms` with JSON key material (KMS provider specific). Example: `ops/deployment/export/secrets-example.yaml`.
+- MinIO creds: `exportcenter-minio` with `accesskey`, `secretkey` keys (see example manifest).
+
+## Rollout
+- `helm upgrade --install export-center deploy/helm/stellaops -f deploy/helm/stellaops/values-export.yaml --set image.tag=$TAG`
+- Pre-flight: `helm template ...` and `helm lint`.
+- Post: verify readiness `kubectl rollout status deploy/export-center` and run `curl /healthz`.
+
+## Rollback
+- `helm rollback export-center <rev>`; ensure previous tag exists.
+
+## Required artefacts
+- Signed images + provenance (from release pipeline).
+- SBOM attached via registry (cosign attestations acceptable).
+
+## Acceptance
+- Overlay renders without missing values.
+- Secrets documented and referenced in template.
+- Rollout/rollback steps documented.