fix(helm): prevent realtime envDefaults from masking app.env Secret values; add StatefulSet upgrade NOTES

- Realtime override-skip now considers keys set in either app.env or
  realtime.env. The shared app Secret is mounted via envFrom on the
  realtime pod, so a key set in app.env (e.g. NEXT_PUBLIC_APP_URL) would
  previously be masked by the realtime envDefault (inline env overrides
  envFrom in K8s).
- NOTES.txt now prints a StatefulSet orphan-delete reminder on upgrade,
  surfacing the immutable serviceName issue documented in the README.

Author: waleedlatif1

helm/sim/templates/NOTES.txt

@@ -78,7 +78,27 @@ Your release is named {{ .Release.Name }} in namespace {{ .Release.Namespace }}.
      # Upgrade after changing values
      helm upgrade {{ .Release.Name }} ./helm/sim --namespace {{ .Release.Namespace }} -f your-values.yaml
 
+{{- if .Release.IsUpgrade }}
+5. Upgrading from a pre-1.0.0 build?
+
+   The internal Postgres StatefulSet's `spec.serviceName` was renamed to point
+   at a new headless Service. That field is immutable, so `helm upgrade` will
+   fail with: `Forbidden: updates to statefulset spec for fields other than
+   ...`. Orphan-delete the StatefulSet first (preserves pods and PVCs, traffic
+   keeps flowing):
+
+     kubectl --namespace {{ .Release.Namespace }} delete statefulset {{ include "sim.fullname" . }}-postgresql --cascade=orphan
+{{- if .Values.copilot.enabled }}
+     kubectl --namespace {{ .Release.Namespace }} delete statefulset {{ include "sim.fullname" . }}-copilot-postgresql --cascade=orphan
+{{- end }}
+
+   Then re-run `helm upgrade`. See README → "Upgrading from a pre-1.0.0 build"
+   for the full procedure. Skip this step if you're already on 1.0.0+.
+
+6. Where to go next:
+{{- else }}
 5. Where to go next:
+{{- end }}
 
    * Production checklist:  helm/sim/README.md (search "Production checklist")
    * Troubleshooting:       helm/sim/README.md (search "Troubleshooting")

helm/sim/templates/deployment-realtime.yaml

@@ -67,13 +67,20 @@ spec:
             {{- end }}
             {{- /*
               Inline realtime.envDefaults, skipping keys explicitly set in realtime.env
-              (K8s `env` overrides `envFrom`, so an inline default would otherwise mask
-              a user's Secret-bound value).
+              OR app.env (K8s `env` overrides `envFrom`, so an inline default would
+              otherwise mask a Secret-bound value). The chart-managed Secret is shared
+              between app and realtime via envFrom, so a key set in app.env (e.g.
+              NEXT_PUBLIC_APP_URL=https://prod.example.com) lands on the realtime pod
+              too — inlining the localhost envDefault here would mask it.
             */}}
             {{- $rtEnv := .Values.realtime.env | default dict }}
+            {{- $appEnv := .Values.app.env | default dict }}
             {{- range $key, $value := .Values.realtime.envDefaults | default dict }}
-            {{- $override := index $rtEnv $key }}
-            {{- if and (ne (toString $value) "") (ne (toString $value) "<nil>") (or (not $override) (eq (toString $override) "") (eq (toString $override) "<nil>")) }}
+            {{- $rtOverride := index $rtEnv $key }}
+            {{- $appOverride := index $appEnv $key }}
+            {{- $hasRt := and $rtOverride (ne (toString $rtOverride) "") (ne (toString $rtOverride) "<nil>") }}
+            {{- $hasApp := and $appOverride (ne (toString $appOverride) "") (ne (toString $appOverride) "<nil>") }}
+            {{- if and (ne (toString $value) "") (ne (toString $value) "<nil>") (not $hasRt) (not $hasApp) }}
             - name: {{ $key }}
               value: {{ $value | quote }}
             {{- end }}