From 8e7fd6a7d8830baa903ecdc6800dc384fc171a73 Mon Sep 17 00:00:00 2001
From: Jon Langevin <codingsloth@pm.me>
Date: Tue, 24 Feb 2026 19:23:29 -0500
Subject: [PATCH] =?UTF-8?q?fix(helm):=20upgrade-safe=20deployment=20?=
 =?UTF-8?q?=E2=80=94=20PVC=20for=20data,=20explicit=20RollingUpdate=20stra?=
 =?UTF-8?q?tegy?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add pvc.yaml for /app/data with helm.sh/resource-policy: keep annotation
  (persistence.enabled=false by default; emptyDir is preserved for stateless installs)
- Update deployment to use PVC when persistence.enabled=true, else emptyDir
- Add explicit strategy: RollingUpdate maxSurge:1 maxUnavailable:0 for zero-downtime upgrades
- Add persistence config block to values.yaml

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../helm/workflow/templates/deployment.yaml   | 10 ++++++++++
 deploy/helm/workflow/templates/pvc.yaml       | 20 +++++++++++++++++++
 deploy/helm/workflow/values.yaml              |  9 +++++++++
 3 files changed, 39 insertions(+)
 create mode 100644 deploy/helm/workflow/templates/pvc.yaml

diff --git a/deploy/helm/workflow/templates/deployment.yaml b/deploy/helm/workflow/templates/deployment.yaml
index c6e57d70..406dafd8 100644
--- a/deploy/helm/workflow/templates/deployment.yaml
+++ b/deploy/helm/workflow/templates/deployment.yaml
@@ -8,6 +8,11 @@ spec:
   {{- if not .Values.autoscaling.enabled }}
   replicas: {{ .Values.replicaCount }}
   {{- end }}
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
   selector:
     matchLabels:
       {{- include "workflow.selectorLabels" . | nindent 6 }}
@@ -90,7 +95,12 @@ spec:
             {{- end }}
       volumes:
         - name: data
+          {{- if .Values.persistence.enabled }}
+          persistentVolumeClaim:
+            claimName: {{ include "workflow.fullname" . }}-data
+          {{- else }}
           emptyDir: {}
+          {{- end }}
         {{- if .Values.config.inline }}
         - name: config
           configMap:
diff --git a/deploy/helm/workflow/templates/pvc.yaml b/deploy/helm/workflow/templates/pvc.yaml
new file mode 100644
index 00000000..acd742db
--- /dev/null
+++ b/deploy/helm/workflow/templates/pvc.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.persistence.enabled }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ include "workflow.fullname" . }}-data
+  labels:
+    {{- include "workflow.labels" . | nindent 4 }}
+  annotations:
+    # Keep PVC on helm uninstall to prevent data loss
+    helm.sh/resource-policy: keep
+spec:
+  accessModes:
+    - {{ .Values.persistence.accessMode }}
+  {{- if .Values.persistence.storageClass }}
+  storageClassName: {{ .Values.persistence.storageClass }}
+  {{- end }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size }}
+{{- end }}
diff --git a/deploy/helm/workflow/values.yaml b/deploy/helm/workflow/values.yaml
index a09bd700..ce4e7b00 100644
--- a/deploy/helm/workflow/values.yaml
+++ b/deploy/helm/workflow/values.yaml
@@ -93,6 +93,15 @@ env:
 # Sensitive values from Kubernetes secrets
 envFromSecret: ""
 
+# Plugin and runtime data persistence
+# With emptyDir (disabled), data is lost on pod restart — plugins must be re-fetched.
+# Enable to retain downloaded plugins and runtime state across restarts.
+persistence:
+  enabled: false
+  storageClass: ""
+  accessMode: ReadWriteOnce
+  size: 1Gi
+
 # Prometheus monitoring
 monitoring:
   enabled: false