Add ingress and staged Neo4j TLS Helm profiles

[tgarciai]

Summary

• align the public docs with the kernel state, transport security status, and the strongest E2E paths
• add first-class Helm ingress rendering plus service annotations and enable the sibling runtime ingress host in values.underpass-runtime.yaml
• add a staged secure sibling-runtime profile for neo4jTls so the graph CA path is concrete once the shared Neo4j endpoint exposes TLS

Validation

• bash scripts/ci/helm-lint.sh
• git diff --check
• helm template rehydration-kernel charts/rehydration-kernel -f charts/rehydration-kernel/values.underpass-runtime.yaml --set image.tag=starship-full-journey-20260318-203412-d0e7a79-dirty
• helm template rehydration-kernel charts/rehydration-kernel -f charts/rehydration-kernel/values.underpass-runtime.secure.example.yaml --set image.tag=starship-full-journey-20260318-203412-d0e7a79-dirty
• helm upgrade --install rehydration-kernel charts/rehydration-kernel -n underpass-runtime -f charts/rehydration-kernel/values.underpass-runtime.yaml --set image.tag=starship-full-journey-20260318-203412-d0e7a79-dirty --wait --timeout 5m
• bash scripts/demo/run-starship-cluster-journey.sh run

Notes

• ingress is live in the cluster for rehydration-kernel.underpassai.com via the nginx controller
• neo4jTls is staged, not live, because the shared Neo4j StatefulSet is still serving plaintext bolt and there is no namespace-local CA secret yet

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud