Implement app deployment improvements

docs/django-on-railiance.md

@@ -0,0 +1,54 @@
+# Django on Railiance
+
+This is the short recipe for Django workloads running as S5 apps on the
+Railiance cluster.
+
+## Probe Host Header
+
+Production Django usually runs with `DEBUG=False` and a narrow
+`ALLOWED_HOSTS`. Kubelet HTTP probes do not use the public app host by
+default; they send the pod IP as the `Host` header. Django rejects that
+before the request reaches the health view, so kubelet sees `HTTP 400`
+and restarts an otherwise healthy pod.
+
+Set the probe `Host` header to a value that is also present in
+`ALLOWED_HOSTS`:
+
+```yaml
+env:
+  ALLOWED_HOSTS: app.example.org,localhost
+
+probes:
+  enabled: true
+  path: /health/
+  port: 8000
+  hostHeader: app.example.org
+```
+
+The `charts/vergabe-teilnahme` chart already renders this as:
+
+```yaml
+httpGet:
+  path: /health/
+  port: 8000
+  httpHeaders:
+    - name: Host
+      value: app.example.org
+```
+
+When changing the public hostname or `ALLOWED_HOSTS`, change
+`probes.hostHeader` in the same review.
+
+## Database URL Secrets
+
+CNPG-generated role passwords may contain URL-reserved characters such
+as `=`, `+`, and `/`. If the app consumes `DATABASE_URL`, URL-encode the
+password when building the env Secret:
+
+```bash
+make vergabe-db-url-secret
+```
+
+For new charts, prefer either this helper or separate PostgreSQL env
+vars (`POSTGRES_HOST`, `POSTGRES_USER`, `POSTGRES_PASSWORD`,
+`POSTGRES_DB`) so there is no URL parser in the path.