feat: add AnalysisTemplate + Feature Flags to web-app chart

- AnalysisTemplate: web provider health check on canary /healthz
  (10s interval, 6 checks, 3 failure limit → auto-rollback)
- Feature Flags: ConfigMap → config.js mount via window.__APP_CONFIG__
  pattern for static SPA (annotation hash for auto-restart)
- NetworkPolicy: allow argo-rollouts namespace for analysis HTTP checks
- Prod arch-docs: enable analysis + showBetaFeatures flag

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

charts/web-app/templates/analysis-template.yaml

@@ -0,0 +1,18 @@
+{{- if and .Values.rollout.enabled .Values.rollout.analysis.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: AnalysisTemplate
+metadata:
+  name: {{ include "web-app.fullname" . }}-canary-health
+  labels:
+    {{- include "web-app.labels" . | nindent 4 }}
+spec:
+  metrics:
+    - name: canary-health
+      interval: {{ .Values.rollout.analysis.interval | default "10s" }}
+      count: {{ .Values.rollout.analysis.count | default 6 }}
+      failureLimit: {{ .Values.rollout.analysis.failureLimit | default 3 }}
+      provider:
+        web:
+          url: http://{{ include "web-app.fullname" . }}-canary.{{ .Release.Namespace }}.svc.cluster.local/healthz
+          timeoutSeconds: {{ .Values.rollout.analysis.timeoutSeconds | default 5 }}
+{{- end }}

charts/web-app/templates/configmap-flags.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.featureFlags.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "web-app.fullname" . }}-feature-flags
+  labels:
+    {{- include "web-app.labels" . | nindent 4 }}
+data:
+  config.js: |
+    window.__APP_CONFIG__ = {
+      {{- range $key, $value := .Values.featureFlags.flags }}
+      {{ $key }}: {{ $value }},
+      {{- end }}
+    };
+{{- end }}

charts/web-app/templates/deployment.yaml

@@ -14,6 +14,10 @@ spec:
       {{- include "web-app.selectorLabels" . | nindent 6 }}
   template:
     metadata:
+      {{- if .Values.featureFlags.enabled }}
+      annotations:
+        checksum/feature-flags: {{ include (print $.Template.BasePath "/configmap-flags.yaml") . | sha256sum }}
+      {{- end }}
       labels:
         {{- include "web-app.selectorLabels" . | nindent 8 }}
     spec:
@@ -58,10 +62,21 @@ spec:
             {{- with .Values.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
+            {{- if .Values.featureFlags.enabled }}
+            - name: feature-flags
+              mountPath: /usr/share/nginx/html/config.js
+              subPath: config.js
+              readOnly: true
+            {{- end }}
       volumes:
         - name: tmp
           emptyDir: {}
         {{- with .Values.extraVolumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
+        {{- if .Values.featureFlags.enabled }}
+        - name: feature-flags
+          configMap:
+            name: {{ include "web-app.fullname" . }}-feature-flags
+        {{- end }}
 {{- end }}

charts/web-app/templates/networkpolicy.yaml

@@ -19,6 +19,15 @@ spec:
       ports:
         - port: {{ .Values.containerPort }}
           protocol: TCP
+    {{- if and .Values.rollout.enabled .Values.rollout.analysis.enabled }}
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: argo-rollouts
+      ports:
+        - port: {{ .Values.containerPort }}
+          protocol: TCP
+    {{- end }}
   egress:
     - to:
         - namespaceSelector: {}

charts/web-app/templates/rollout.yaml

@@ -21,9 +21,28 @@ spec:
         nginx:
           stableIngress: {{ include "web-app.fullname" . }}
       steps:
-        {{- toYaml .Values.rollout.steps | nindent 8 }}
+        {{- range .Values.rollout.steps }}
+        {{- if .setWeight }}
+        - setWeight: {{ .setWeight }}
+        {{- if $.Values.rollout.analysis.enabled }}
+        - analysis:
+            templates:
+              - templateName: {{ include "web-app.fullname" $ }}-canary-health
+        {{- end }}
+        {{- end }}
+        {{- if .pause }}
+        {{- if not $.Values.rollout.analysis.enabled }}
+        - pause:
+            {{- toYaml .pause | nindent 14 }}
+        {{- end }}
+        {{- end }}
+        {{- end }}
   template:
     metadata:
+      {{- if .Values.featureFlags.enabled }}
+      annotations:
+        checksum/feature-flags: {{ include (print $.Template.BasePath "/configmap-flags.yaml") . | sha256sum }}
+      {{- end }}
       labels:
         {{- include "web-app.selectorLabels" . | nindent 8 }}
     spec:
@@ -68,10 +87,21 @@ spec:
             {{- with .Values.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
+            {{- if .Values.featureFlags.enabled }}
+            - name: feature-flags
+              mountPath: /usr/share/nginx/html/config.js
+              subPath: config.js
+              readOnly: true
+            {{- end }}
       volumes:
         - name: tmp
           emptyDir: {}
         {{- with .Values.extraVolumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
+        {{- if .Values.featureFlags.enabled }}
+        - name: feature-flags
+          configMap:
+            name: {{ include "web-app.fullname" . }}-feature-flags
+        {{- end }}
 {{- end }}

charts/web-app/values.yaml

@@ -57,6 +57,16 @@ rollout:
     - pause: { duration: 60s }
     - setWeight: 50
     - pause: { duration: 60s }
+  analysis:
+    enabled: false
+    interval: "10s"
+    count: 6
+    failureLimit: 3
+    timeoutSeconds: 5
+
+featureFlags:
+  enabled: false
+  flags: {}
 
 autoscaling:
   enabled: false

environments/prod/arch-docs.yaml

@@ -39,6 +39,13 @@ rollout:
     - pause: { duration: 60s }
     - setWeight: 50
     - pause: { duration: 60s }
+  analysis:
+    enabled: true
+
+featureFlags:
+  enabled: true
+  flags:
+    showBetaFeatures: false
 
 service:
   type: ClusterIP