…nnotations

- Add missing seccompProfile to cron pod securityContext (matches deployment)
- Move postgres proxy outside container loop in cron to prevent duplicate sidecars
- Support per-ingress annotations when using ingresses list

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

…l Secrets

- Upgrade cloud-sql-proxy from v1 (1.33.16) to v2 (2.21.2)
- Update image, executable name, and CLI flags for v2
- Fix memoryLimt typo in helpers, deprecate memoryLimit (limit = request)
- Replace configmap-based connection config with External Secrets
- Add postgres.instances to configure Secret Manager keys for instance connection names
- Support multiple SQL databases via indexed CSQL_PROXY_INSTANCE_CONNECTION_NAME_N env vars
- Deprecate postgres.connectionConfig with fail message
- Fix deployment.prometheus.path not falling back to default (#225)

BREAKING CHANGE: postgres.connectionConfig is removed in favor of postgres.instances.
Users must migrate their connection config from Kubernetes ConfigMaps to
Secret Manager keys via External Secrets (e.g. postgres.instances: [PGINSTANCES]).

Add deployment.cpuUtilization as the preferred location for HPA CPU
target utilization. Falls back to top-level cpuUtilization for
backwards compatibility, then to default 100%.

- Add StartupCPUBoost CRD resource (enabled by default, 50% increase)
- Boost targets pods by app label, reverts when pod becomes Ready
- Lower default HPA cpuUtilization from 100% to 70% (best practice
  when startup CPU spikes are handled by the boost operator)
- Requires kube-startup-cpu-boost operator installed in the cluster

When container.probes.startup.path is set, the startup probe uses
httpGet instead of tcpSocket. This enables custom startup health
checks for apps with long-running startup tasks like cache warming.

Setting grpc: true now uses native K8s gRPC probes with internalPort
by default. No need to manually set probe ports for each probe.
Removes fallback to exec-based grpc_health_probe which required the
binary in the container image.

…ssName (#126)

Replace kubernetes.io/ingress.class annotation (deprecated since K8s
1.18) with spec.ingressClassName. Defaults to "traefik", configurable
via ingress.ingressClassName or per-ingress ingressClassName field.

Add appId field matching GoogleCloudApplication metadata.id. Falls
back to shortname for backwards compatibility. Adds new "appId" label
to all resources alongside existing "shortname" label.

Add hpa.metrics list for appending custom metrics (Pods, External,
Object) alongside the default CPU utilization metric. Supports
Prometheus/GMP gauges, Pub/Sub queue depth, and any Cloud Monitoring
metric. The existing hpa.spec override for full control is preserved.

- Remove unused grpcexecprobes helper (native K8s gRPC probes are now default)
- Remove shortname value entirely — appId is now required with fail message for migration
- Remove top-level cpuUtilization fallback, use only deployment.cpuUtilization
- Fix readiness probe comment typo (said "liveness")
- Rename shortname to appId in all fixtures and test values

BREAKING CHANGE: shortname is removed. Use appId instead.

…theus metrics

- Remove container.replicas, container.maxReplicas, container.forceReplicas,
  container.minAvailable, container.terminationGracePeriodSeconds — these are
  now only under deployment.* where they belong
- Remove container.* fallbacks from deployment.yaml, hpa.yaml, pdb.yaml
- Enable prometheus metrics on Cloud SQL proxy v2 (--http-port=9801 --prometheus)
  exposing metrics at :9801/metrics for monitoring proxy health and connections
- Update all tests and fixtures to use deployment.* for scaling fields

BREAKING CHANGE: container.replicas, container.maxReplicas, container.forceReplicas,
container.minAvailable, and container.terminationGracePeriodSeconds are removed.
Use deployment.replicas, deployment.maxReplicas, etc. instead.

When postgres is enabled, adds prometheus.io/scrape-sql-proxy,
prometheus.io/sql-proxy-port (9801), and prometheus.io/sql-proxy-path
(/metrics) annotations to pods. Allows configuring Prometheus to scrape
the SQL proxy sidecar alongside the main application.

Add the StartupCPUBoost Helm chart to the CI kind cluster setup so
the StartupCPUBoost CRD is available during helm install tests.

…use appId

…repo

Copy the local common chart into each example's charts/ directory
before running helm template. This tests examples against the current
branch's chart instead of the published version.

…-backend

- Add values-kub-ent-tst.yaml and values-kub-ent-prd.yaml for grpc-app
  example so CI can validate all environments
- Add postgres.instances to typical-backend example (required by v2 proxy)

Add values.schema.json matching v2 values structure. Validates values
on helm install/upgrade/template/lint to catch typos and unknown
properties early. Updated from PR #222 for v2 changes: appId instead
of shortname, scaling fields under deployment only, postgres.instances,
hpa.metrics, startupCPUBoost, ingressClassName, startup probe path.

…E.md

Run unit tests, kind cluster install tests, and example validation
against both Helm 3 and Helm 4 using matrix strategy.

…isabled

When CPU boost is off, Java startup CPU spikes can trigger unnecessary
HPA scale-ups. A 120s stabilization window gives pods time to finish
startup before HPA acts on the elevated CPU. When CPU boost is enabled
the window is not needed since startup spikes are handled by the boost.

…ionWindowSeconds

Defaults to 120s when startupCPUBoost is disabled. Tune to match your
application's typical startup time (e.g. 60s for a fast app, 300s for
a heavy Spring Boot app with cache warming).

When CPU boost is enabled and no explicit cpuLimit is set, the CPU
limit is automatically set to 130% of the CPU request. This gives
the boost operator a ceiling to work within. Explicit cpuLimit
always takes precedence.

…resources

… boost

Memory limit is now always equal to memory request. The previous 1.2x
multiplier and memoryLimit override are removed. container.memoryLimit
is deprecated with a note to use container.memory instead.

BREAKING CHANGE: container.memoryLimit is removed. Memory limit now
always equals memory request. Set container.memory to the value you need.

HPA is now always enabled (unless forceReplicas is set). The Deployment
spec never emits replicas — HPA controls pod count in all environments.

Default minReplicas by environment:
- sbx/dev/tst: 1 (scales down to single pod in low traffic)
- prd: 2 (HA by default)

deployment.replicas overrides the default minReplicas for any env.
PDB protection follows minReplicas: 0% when minReplicas=1, 50% when >=2.

This prevents the v1 bug where helm upgrade would reset HPA-managed
replica counts back to the configured value.

BREAKING CHANGE: HPA is now enabled by default in all environments.
Use deployment.forceReplicas to opt out of HPA.

deployment.replicas is removed. Use deployment.minReplicas to set the
HPA minimum replica count, or deployment.forceReplicas to disable HPA.

Since HPA is always enabled, the Deployment spec never emits replicas
— HPA controls the pod count. This prevents helm upgrade from resetting
HPA-managed replica counts.

BREAKING CHANGE: deployment.replicas is removed. Use deployment.minReplicas
(sets HPA minimum) or deployment.forceReplicas (disables HPA).

…it removal

…db.minAvailable

- Default minReplicas to 2 in all environments (no more env-aware branching)
- Remove pdb.minAvailable — use deployment.minAvailable instead (one place to configure)
- Change maxSurge and maxUnavailable defaults from 25% to 1 (works correctly with 2 replicas)
- PDB automatically 50% when minReplicas >= 2, 0% when minReplicas = 1

BREAKING CHANGE: pdb.minAvailable is removed. Use deployment.minAvailable instead.
Default minReplicas is now 2 in all environments (was 1 in dev/tst).
Default maxSurge and maxUnavailable changed from 25% to 1.

# Conflicts:
#	.github/workflows/pull-request.yml
#	charts/common/Chart.yaml
#	charts/common/templates/_helpers.tpl
#	examples/common/cronjob/Chart.yaml
#	examples/common/grpc-app/Chart.yaml
#	examples/common/multi-container/Chart.yaml
#	examples/common/multi-deploy/Chart.yaml
#	examples/common/simple-app/Chart.yaml
#	examples/common/typical-backend/Chart.yaml
#	examples/common/typical-frontend/Chart.yaml

Replace the split credential model (ExternalSecrets for proxy connection
names + Terraform-created K8s secrets for credentials) with a unified
approach where secretKeyPrefix is the single contract between Terraform
and Helm.

Given a prefix (default PG), the chart derives all Secret Manager keys
({prefix}INSTANCES, {prefix}USER, {prefix}PASSWORD) and fetches
everything via ExternalSecrets. The simplest case is just
`postgres.enabled: true`.

Changes:
- postgres.instances now takes objects with secretKeyPrefix instead of
  raw Secret Manager key names
- New sql-credentials ExternalSecret fetches {prefix}USER and
  {prefix}PASSWORD from Secret Manager
- Chart generates {prefix}HOST=localhost and {prefix}PORT=5432+index
  as env vars (no longer fetched from Secret Manager)
- Proxy command adds --port=5432 for deterministic port assignment
- postgres.termTimeout renamed to postgres.maxSigtermDelay to match
  the Cloud SQL Proxy v2 flag
- Removed v1 compatibility tests and deprecated fields
  (connectionConfig, memoryLimit)

Claude Code skill that automates migrating Helm values files from
common chart v1 to v2. Covers all breaking changes: shortname to
appId, scaling field moves, postgres secretKeyPrefix integration,
memoryLimit removal, and configmap.toEnv removal.

Default container.cpu raised from 0.1 to 0.3 and container.memory from
16 to 512 (Mi). The previous defaults were stub values that would
OOMKill any JVM app before it finished booting; the JVM alone needs
~150-250 MiB before app code runs, and ~90% of Entur services are
Spring Boot.

Existing values that omit container.cpu / container.memory will see
3x CPU and 32x memory requests on next deploy. Override down for
non-JVM workloads (sidecars, small Go services, static frontends).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

The pull_request branches filter was matching the wrong direction
(base instead of head), so the workflow never triggered on
release-please PRs. Switch to filtering base on main and gating the
job with an if: condition on github.head_ref.

Also fix:
- checkout uses github.head_ref instead of github.ref (which is the
  ephemeral merge ref on pull_request events)
- drop redundant git switch (checkout already lands on the branch)
- move the printf below the VERSION export
- replace inline shell substitution in jq and yq filters with --arg /
  strenv for safer interpolation
- quote $CUR_CHART in find
- add a concurrency group to avoid races with release-please
  regenerations

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Add README.md.gotmpl per example so the narrative survives helm-docs
regeneration. Each template renders the chart header and badges, then
custom what / when / key-values sections, then the auto-generated
requirements + values tables.

The narrative explains each example's purpose in plain language, with
cross-references between them (e.g. cronjob points to multi-deploy
for event-driven work; multi-container points to multi-deploy as the
preferred alternative when processes can run independently). A short
gloss of "ingress" is included where relevant.

Also fix a TZx -> TZ typo in typical-frontend/values.yaml so the
configmap example matches the standard timezone env var.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>