feat: add safer secret handling for helm env vars #48

[ibourgeois]

Summary

• split Helm app configuration into plain env values and secret-backed values
• generate per-environment secret example overlays and ignore real secret overlay files in the Laravel app
• automatically include values.<environment>.secrets.yaml during beacon:deploy when present
• support either Beacon-managed Helm secrets or an existing Kubernetes secret chosen during install

Testing

php84 vendor/bin/pest tests/Unit/Filesystem/GitignoreUpdaterTest.php tests/Unit/Install/InstallConfigurationCollectorTest.php
php84 vendor/bin/pest tests/Unit/Helm/HelmChartGeneratorTest.php tests/Feature/InstallCommandTest.php tests/Feature/DeployCommandTest.php
php84 "/Users/ibourgeois/Library/Application Support/Herd/bin/composer" test
php84 "/Users/ibourgeois/Library/Application Support/Herd/bin/composer" validate --strict --no-check-publish

Closes #48

[Copilot]

Pull request overview

Adds a safer Helm secret workflow by separating non-sensitive env values from secret-backed values, generating secret overlay examples, ignoring real secret overlays, and optionally including a secret overlay during deploy.

Changes:

• Introduces secretHandling install configuration (managed Helm Secret vs existing Kubernetes Secret) and updates install prompt/summary output.
• Extends Helm chart scaffolding with secret example overlays plus templates/secret.yaml, and updates the deployment template to consume secrets via envFrom.
• Updates beacon:deploy to include values.<environment>.secrets.yaml when present and updates install to append the secret overlay pattern to .gitignore.

Reviewed changes

Copilot reviewed 23 out of 23 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/Install/InstallConfiguration.php	Adds secret-handling settings/validation and exposes labels/helm detection.
src/Install/InstallConfigurationCollector.php	Prompts for secret handling + existing secret name and computes defaults.
src/Helm/HelmChartGenerator.php	Generates new secret example overlays and secret template; wires secret-related replacements.
stubs/helm/values.yaml.stub	Adds secret.* values section used by templates for both strategies.
stubs/helm/templates/deployment.yaml.stub	Adds conditional env and envFrom secretRef wiring.
stubs/helm/templates/secret.yaml.stub	Adds a managed Secret manifest template driven by secret.env.
stubs/helm/templates/_helpers.tpl.stub	Adds helper for stable secret naming.
src/Deploy/HelmReleaseDeployer.php	Allows optional third values file for secrets overlay.
src/Commands/DeployCommand.php	Detects and includes values.<env>.secrets.yaml when it exists.
src/Filesystem/GitignoreUpdater.php	New helper to ensure secret overlay patterns are appended to .gitignore.
src/Install/InstallWorkflow.php / src/Install/InstallResult.php / src/Commands/InstallCommand.php	Ensures .gitignore is updated during helm installs and reports the result.
tests/*	Adds/updates unit + feature coverage for new secret handling, helm generation, deploy behavior, and gitignore updating.
README.md	Documents the new secret workflow, generated files, and deploy behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.