Thank you for installing **{{ .Chart.Name }}**.

Release: {{ .Release.Name }} / namespace {{ .Release.Namespace }}

Services use ClusterIP; expose via ingress, gateway, or kubectl port-forward.

------------------------------------------------------------
## Components

- server: {{ include "certs-ui.fullname" . }}-server:{{ .Values.components.server.service.port }}
- client: {{ include "certs-ui.fullname" . }}-client:{{ .Values.components.client.service.port }}
- reverseproxy: {{ include "certs-ui.fullname" . }}-reverseproxy:{{ .Values.components.reverseproxy.service.port }}

Port-forward API example:

  kubectl port-forward svc/{{ include "certs-ui.fullname" . }}-server {{ .Values.components.server.service.port }}:{{ .Values.components.server.service.port }} -n {{ .Release.Namespace }}

------------------------------------------------------------
## Images

Image tag: `components.*.image.tag`, then `global.image.tag`, then Chart `appVersion`.

**imagePullPolicy** resolves as: `components.*.image.pullPolicy` (if set in your values), else `global.image.pullPolicy`, else `IfNotPresent`. Values may use **`always`** / **`Always`** (normalized for the Pod spec).

With **`Always`**, the chart sets pod annotation **`rollme`**: by default **`r<Release.Revision>-<unixEpoch>`** so each **`helm upgrade`** bumps the revision even when the tag is unchanged. For **`helm template`** output committed to git, revision is usually **1** and epoch is frozen until you re-render — then pass **`global.rolloutNonce`** from CI (unique per deploy, e.g. pipeline id) so the applied manifest changes every image push. Pin **`global.rollme`** to a string you bump when you need a stable, deterministic rollout key.

With **`IfNotPresent`** (default), **`rollme`** is omitted; the node may keep a cached layer for a mutable tag even if you replace the tag in the registry.

Pod annotation **certs-ui.io/image** is the resolved `registry/repository:tag` for debugging.

------------------------------------------------------------
## Config

Root keys `certsServerConfig`, `certsServerSecrets`, `certsClientRuntime` feed templated `configMapFile` / `secretsFile` content when `tpl: true`.

Use `existingConfigMap` / `existingSecret` to mount resources created outside the chart. With `keep: true`, existing objects are not replaced on upgrade if already present.

------------------------------------------------------------
## Uninstall

  helm uninstall {{ .Release.Name }} -n {{ .Release.Namespace }}
