[WIP] Add Helm chart for Ghostfolio compatible with ArgoCD

[Claude]

Thanks for asking me to work on this. I will get started on it and keep this PR's description up to date as I form a plan and make progress.

---

This section details on the original issue you should resolve

<issue_title>[FEATURE] New chart: Ghostfolio — ArgoCD-compatible with CNPG, backup/restore</issue_title>
<issue_description>## Description

Add a new Helm chart for Ghostfolio, a privacy-first open source portfolio tracker. The chart must be fully compatible with ArgoCD offline rendering (no lookup or randAlphaNum causing drift).

Motivation

TrueCharts ghostfolio chart (trueforge-org/truecharts) uses the following pattern in _secrets.tpl:

{{- $accesstokensalt := randAlphaNum 50 }}
{{- with (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
  {{- $accesstokensalt = (index .data "ACCESS_TOKEN_SALT") | b64dec -}}
{{- end }}

The intent is correct (lookup || randAlphaNum), but ArgoCD renders manifests offline (no cluster access). The lookup always returns empty → randAlphaNum is called on every render → different values each sync → permanent drift on the Secret and on checksum/secrets annotations of dependent Deployments.

Proposed Solution

A new chart with:

• No generated secrets by default (opt-in only)
• When secret generation is enabled: idempotent — lookup is the only render path in connected mode, randAlphaNum only on first install
• checksum/secrets annotations on Deployments must not reference randAlphaNum-generated secrets in offline mode — or must be opt-outable

Chart Information (if applicable)

• Chart name: ghostfolio
• Chart version: new

Use Case

Deploy Ghostfolio via ArgoCD GitOps without permanent OutOfSync drift. Secrets managed externally via SOPS/kustomize and referenced by secretKeyRef.

Alternatives Considered (optional)

• TrueCharts — eliminated: randAlphaNum + lookup incompatible with ArgoCD offline rendering
• ignoreDifferences in ArgoCD — workaround only, does not fix the root cause
• Helm wrapper chart — overly complex to maintain across TrueCharts updates

Additional Context (optional)

Components required

Application

• Image: ghostfolio/ghostfolio, port 3333
• Env vars: ACCESS_TOKEN_SALT, JWT_SECRET_KEY, DATABASE_URL, REDIS_HOST, REDIS_PASSWORD, REDIS_PORT

Database

• PostgreSQL via CNPG (CloudNativePG) — operator already present on cluster
• Single node by default, scalable to multi-node (streaming replication)
• initdb credentials from a pre-existing Kubernetes Secret (never generated by chart)

Cache

• Redis standalone

Backup (PostgreSQL)

• Nightly CronJob using postgres:16
• pg_dump -Fc to NFS volume
• Post-dump integrity check: pg_restore --list
• Configurable retention (keep last N dumps)
• NFS server + path configurable

Restore

• Kubernetes Job, disabled by default
• Dump file selected by parameter
• Enabled manually via GitOps (flip enabled: true + set RESTORE_FILE)

Acceptance Criteria

• No randAlphaNum or lookup that causes drift when rendered offline by ArgoCD
• Secret generation opt-outable — pre-existing secret can be referenced instead
• When generation is enabled, output is idempotent across renders (connected mode)
• checksum/secrets annotations do not diverge between ArgoCD renders
• CNPG cluster configured via pre-existing credentials secret
• Nightly backup CronJob to NFS with configurable retention
• Restore Job disabled by default, activatable via values

Completion Checklist

• I have searched existing issues to avoid duplicates
• I have clearly described the feature and its motivation
• I have provided use cases or examples
• I have defined acceptance criteria</issue_description>

Comments on the Issue (you are @claude[agent] in this section)

[github-actions]

KICS version: v2.1.20

Category Results CRITICAL 0 HIGH 0 MEDIUM 0 LOW 0 INFO 0 TRACE 0 TOTAL 0	Metric Values Files scanned 55 Files parsed 30 Files failed to scan 0 Total executed queries 142 Queries failed to execute 0 Execution time 3

Queries Results

| |

[github-advanced-security]

KICS found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

[github-actions]

PR Charts Available for Testing

• ghostfolio version 1.0.0-pr232
• persistent-volume version 0.1.1-pr232
• common version 2.1.2-pr232

Testing with Helm

helm repo add pr-charts https://raw.githubusercontent.com/trowaflo/helm-charts/pr-charts
helm repo update
helm install test-release pr-charts/<chart-name> --version <version>

Charts are automatically removed when this PR is merged or closed.