git.stella-ops.org/ops/deployment/export/helm-overlays.md

Export Center Helm Overlays (DEPLOY-EXPORT-35-001)

Values files (download-only)

• deploy/helm/stellaops/values-export.yaml (add) with:
  • exportcenter:
    • image.repository: registry.stella-ops.org/export-center
    • image.tag: set via pipeline
    • objectStorage.endpoint: http://minio:9000
    • objectStorage.bucket: export-prod
    • objectStorage.accessKeySecret: exportcenter-minio
    • objectStorage.secretKeySecret: exportcenter-minio
    • signing.kmsKey: exportcenter-kms
    • signing.kmsRegion: us-east-1
    • dsse.enabled: true

Secrets

• KMS signing: create secret exportcenter-kms with JSON key material (KMS provider specific). Example: ops/deployment/export/secrets-example.yaml.
• MinIO creds: exportcenter-minio with accesskey, secretkey keys (see example manifest).

Rollout

• helm upgrade --install export-center deploy/helm/stellaops -f deploy/helm/stellaops/values-export.yaml --set image.tag=$TAG
• Pre-flight: helm template ... and helm lint.
• Post: verify readiness kubectl rollout status deploy/export-center and run curl /healthz.

Rollback

• helm rollback export-center <rev>; ensure previous tag exists.

Required artefacts

• Signed images + provenance (from release pipeline).
• SBOM attached via registry (cosign attestations acceptable).

Acceptance

• Overlay renders without missing values.
• Secrets documented and referenced in template.
• Rollout/rollback steps documented.