git.stella-ops.org/ops/deployment/export/helm-overlays.md

# Export Center Helm Overlays (DEPLOY-EXPORT-35-001)

## Values files (download-only)
- `deploy/helm/stellaops/values-export.yaml` (add) with:
  - `exportcenter:`
    - `image.repository`: `registry.stella-ops.org/export-center`
    - `image.tag`: set via pipeline
    - `objectStorage.endpoint`: `http://minio:9000`
    - `objectStorage.bucket`: `export-prod`
    - `objectStorage.accessKeySecret`: `exportcenter-minio`
    - `objectStorage.secretKeySecret`: `exportcenter-minio`
    - `signing.kmsKey`: `exportcenter-kms`
    - `signing.kmsRegion`: `us-east-1`
    - `dsse.enabled`: true

## Secrets
- KMS signing: create secret `exportcenter-kms` with JSON key material (KMS provider specific). Example: `ops/deployment/export/secrets-example.yaml`.
- MinIO creds: `exportcenter-minio` with `accesskey`, `secretkey` keys (see example manifest).

## Rollout
- `helm upgrade --install export-center deploy/helm/stellaops -f deploy/helm/stellaops/values-export.yaml --set image.tag=$TAG`
- Pre-flight: `helm template ...` and `helm lint`.
- Post: verify readiness `kubectl rollout status deploy/export-center` and run `curl /healthz`.

## Rollback
- `helm rollback export-center <rev>`; ensure previous tag exists.

## Required artefacts
- Signed images + provenance (from release pipeline).
- SBOM attached via registry (cosign attestations acceptable).

## Acceptance
- Overlay renders without missing values.
- Secrets documented and referenced in template.
- Rollout/rollback steps documented.