docs: update GitLab links

    * [ ] add project logo (`logo.png` file) - preferably 256x256

    * [ ] define [Merge Request pipeline](https://to-be-continuous.gitlab.io/doc/usage/#merge-request-workflow) as the default workflow strategy

    * [ ] defines a base (hidden) job

    * [ ] use [rules](https://docs.gitlab.com/ee/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ee/ci/yaml/#onlyexcept-advanced)

    * [ ] optimized [cache](https://docs.gitlab.com/ee/ci/caching/) configuration (wherever applicable)

    * [ ] use [rules](https://docs.gitlab.com/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ci/yaml/#onlyexcept-advanced)

    * [ ] optimized [cache](https://docs.gitlab.com/ci/caching/) configuration (wherever applicable)

* Publicly usable:

    * [ ] runners: untagged

    * [ ] no proxy configuration but support `http_proxy`/`https_proxy`/`no_proxy` configuration 

    * (type here the used build & test tools/frameworks)

    * [ ] mapped to the `build` stage

    * [ ] declare a common `.test-policy` job with rules implementing the [Adaptive Pipeline strategy](https://to-be-continuous.gitlab.io/doc/usage/#test-analysis-jobs-rules) and use in test & SAST jobs

    * [ ] unit tests report integration using [JUnit test report](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsjunit)

    * [ ] code coverage computing and [integration](https://docs.gitlab.com/ee/ci/yaml/#coverage)

    * [ ] optimized [cache](https://docs.gitlab.com/ee/ci/caching/) configuration

    * [ ] unit tests report integration using [JUnit test report](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportsjunit)

    * [ ] code coverage computing and [integration](https://docs.gitlab.com/ci/yaml/#coverage)

    * [ ] optimized [cache](https://docs.gitlab.com/ci/caching/) configuration

* (optional) Code analysis job(s):

    * (type here the used code analysis tools)

    * [ ] mapped to the `test` stage

* Deployment jobs:

    * [ ] one hidden deploy job prototype

    * [ ] persist and propagate the `$CI_ENVIRONMENT_URL` variable as `environment_url` variable using a 

      [dotenv artifact](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)

      [dotenv artifact](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportsdotenv)

    * [ ] each env can be enabled/disabled by configuration

    * [ ] each env uses the [`resource_group`](https://docs.gitlab.com/ee/ci/yaml/#resource_group) feature to prevent 

    * [ ] each env uses the [`resource_group`](https://docs.gitlab.com/ci/yaml/#resource_group) feature to prevent 

      multiple pipelines from deploying to the same environment at the same time

    * [ ] **review** deployment job

        * mapped to the `deploy` stage

        * must be executed on non-`master`, non-`develop` branches only

        * must reference the **cleanup-review** job (see below) in its [`environment:on_stop`](https://docs.gitlab.com/ee/ci/yaml/#environmenton_stop)

        * must reference the **cleanup-review** job (see below) in its [`environment:on_stop`](https://docs.gitlab.com/ci/yaml/#environmenton_stop)

    * [ ] **integration** deployment job

        * mapped to the `deploy` stage

        * must be executed on `develop` branch only

    * [ ] **review** cleanup job

        * mapped to the `deploy` stage

        * must be executed on non-`master`, non-`develop` branches only

        * must be associated to the [`environment:action:stop`](https://docs.gitlab.com/ee/ci/yaml/#environmentaction) event

        * must be associated to the [`environment:action:stop`](https://docs.gitlab.com/ci/yaml/#environmentaction) event

* (optional) Analysis job(s) (linters, dependency checks, ...) depending on the technologies:

    * [ ] mapped to the `test` stage

    * [ ] declare a common `.test-policy` job with rules implementing the [Adaptive Pipeline strategy](https://to-be-continuous.gitlab.io/doc/usage/#test-analysis-jobs-rules) and use in test & SAST jobs

* Acceptance test job:

    * [ ] mapped to the `acceptance` stage

    * [ ] declare a common `.acceptance-policy` job with rules implementing the [Adaptive Pipeline strategy](https://to-be-continuous.gitlab.io/doc/usage/#test-analysis-jobs-rules) and use in test & SAST jobs

    * [ ] tests report integration using [JUnit test report](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsjunit)

    * [ ] tests report integration using [JUnit test report](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportsjunit)

    * [ ] auto-evaluating the environment url to test based on the possible upstream `$environment_url` variable or via 

      an `environment_url.txt` file.

## Checklist

* General:

    * [ ] use [rules](https://docs.gitlab.com/ee/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ee/ci/yaml/#onlyexcept-advanced)

    * [ ] optimized [cache](https://docs.gitlab.com/ee/ci/caching/) configuration (wherever applicable)

    * [ ] use [rules](https://docs.gitlab.com/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ci/yaml/#onlyexcept-advanced)

    * [ ] optimized [cache](https://docs.gitlab.com/ci/caching/) configuration (wherever applicable)

* Publicly usable:

    * [ ] untagged runners

    * [ ] no proxy configuration but support `http_proxy`/`https_proxy`/`no_proxy`

1. Create an issue describing the bug or enhancement you want to propose (select the right issue template).

2. Make sure the issue has been reviewed and agreed.

3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html) documentation).

3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/user/project/repository/forking_workflow/) documentation).

   Don't hesitate to mark your MR as `Draft` as long as you think it's not ready to be reviewed.

### Git Commit Conventions

## Usage

This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component) 

or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax.

This template can be used both as a [CI/CD component](https://docs.gitlab.com/ci/components/#use-a-component) 

or using the legacy [`include:project`](https://docs.gitlab.com/ci/yaml/#includeproject) syntax.

### Use as a CI/CD component

When enabled, it deploys the result from upstream build stages to a dedicated and temporary environment.

It is only active for non-production, non-integration branches.

It is a strict equivalent of GitLab's [Review Apps](https://docs.gitlab.com/ee/ci/review_apps/) feature.

It is a strict equivalent of GitLab's [Review Apps](https://docs.gitlab.com/ci/review_apps/) feature.

It also comes with a _cleanup_ job (accessible either from the _environments_ page, or from the pipeline view).

are at your disposal within your `helmfile` templates:

- [deployment context variables](#deployment-context-variables) provided by the CI/CD template,

- any [GitLab CI variable](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html)

- any [custom variable](https://docs.gitlab.com/ee/ci/variables/#for-a-project)

- any [GitLab CI variable](https://docs.gitlab.com/ci/variables/predefined_variables/)

- any [custom variable](https://docs.gitlab.com/ci/variables/#for-a-project)

(ex: ${SECRET_TOKEN} that you have set in your project CI/CD variables)

The deployment context variable `$environment_type` is passed as

The Helmfile template supports two ways of providing your environments url:

* a **static way**: when the environments url can be determined in advance, probably because you're exposing your routes through a DNS you manage,

* a [**dynamic way**](https://docs.gitlab.com/ee/ci/environments/#set-a-dynamic-environment-url): when the url cannot be known before the deployment job is executed.

* a [**dynamic way**](https://docs.gitlab.com/ci/environments/#set-a-dynamic-environment-url): when the url cannot be known before the deployment job is executed.

The **static way** can be implemented simply by setting the appropriate configuration variable(s) depending on the environment (see environments configuration chapters):

### Deployment output variables

Each deployment job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdotenv)):

Each deployment job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportsdotenv)):

* `$environment_type`: set to the type of environment (`review`, `integration`, `staging` or `production`),

* `$environment_name`: the application name (see below),

Here are some advices about your **secrets** (variables marked with a :lock:):

1. Manage them as [project or group CI/CD variables](https://docs.gitlab.com/ee/ci/variables/#for-a-project):

    * [**masked**](https://docs.gitlab.com/ee/ci/variables/#mask-a-cicd-variable) to prevent them from being inadvertently

1. Manage them as [project or group CI/CD variables](https://docs.gitlab.com/ci/variables/#for-a-project):

    * [**masked**](https://docs.gitlab.com/ci/variables/#mask-a-cicd-variable) to prevent them from being inadvertently

      displayed in your job logs,

    * [**protected**](https://docs.gitlab.com/ee/ci/variables/#protected-cicd-variables) if you want to secure some secrets

    * [**protected**](https://docs.gitlab.com/ci/variables/#protected-cicd-variables) if you want to secure some secrets

      you don't want everyone in the project to have access to (for instance production secrets).

2. In case a secret contains [characters that prevent it from being masked](https://docs.gitlab.com/ee/ci/variables/#mask-a-cicd-variable),

2. In case a secret contains [characters that prevent it from being masked](https://docs.gitlab.com/ci/variables/#mask-a-cicd-variable),

  simply define its value as the [Base64](https://en.wikipedia.org/wiki/Base64) encoded value prefixed with `@b64@`:

  it will then be possible to mask it and the template will automatically decode it prior to using it.

3. Don't forget to escape special characters (ex: `$` -> `$$`).

| `cli-image` / `HELMFILE_CLI_IMAGE` | The Docker image used to run helmfile <br/>:warning: **set the version required by your Kubernetes server** | `ghcr.io/helmfile/helmfile:latest` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-HELMFILE_CLI_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-HELMFILE_CLI_IMAGE) |

| `path` / `HELMFILE_PATH` | The path to your `helmfile.yaml` | `./helmfile.yaml` |

| `scripts-dir` / `HELMFILE_SCRIPTS_DIR` | The folder where hook scripts are located | `.` _(root project dir)_ |

| `kube-namespace` / `KUBE_NAMESPACE` | The default Kubernetes namespace to use | `"${CI_PROJECT_NAME}-${CI_PROJECT_ID}-${CI_ENVIRONMENT_SLUG}"` ([see GitLab doc](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html)) |

| `KUBE_CONTEXT`      | Defines the context to be used in `KUBECONFIG`. When using [GitLab agents with the CI/CD workflow](https://docs.gitlab.com/ee/user/clusters/agent/ci_cd_workflow.html), the value should be like `path/to/agent/project:agent-name`. To use different agents per environment, define an [environment-scoped CI/CD variable](https://docs.gitlab.com/ee/ci/environments/index.html#limit-the-environment-scope-of-a-cicd-variable) for each agent. | _none_ |

| :lock: `HELMFILE_DEFAULT_KUBE_CONFIG` | The default kubeconfig to use (either content or file variable) | `$KUBECONFIG` (thus supports the [GitLab Kubernetes integration](https://docs.gitlab.com/ee/user/project/clusters/index.html) when enabled) |

| `kube-namespace` / `KUBE_NAMESPACE` | The default Kubernetes namespace to use | `"${CI_PROJECT_NAME}-${CI_PROJECT_ID}-${CI_ENVIRONMENT_SLUG}"` ([see GitLab doc](https://docs.gitlab.com/ci/variables/predefined_variables/)) |

| `KUBE_CONTEXT`      | Defines the context to be used in `KUBECONFIG`. When using [GitLab agents with the CI/CD workflow](https://docs.gitlab.com/user/clusters/agent/ci_cd_workflow/), the value should be like `path/to/agent/project:agent-name`. To use different agents per environment, define an [environment-scoped CI/CD variable](https://docs.gitlab.com/ci/environments/#limit-the-environment-scope-of-a-cicd-variable) for each agent. | _none_ |

| :lock: `HELMFILE_DEFAULT_KUBE_CONFIG` | The default kubeconfig to use (either content or file variable) | `$KUBECONFIG` (thus supports the [GitLab Kubernetes integration](https://docs.gitlab.com/user/project/clusters/) when enabled) |

| `deploy-args` / `HELMFILE_DEPLOY_ARGS` | The helmfile [command with options](https://helmfile.readthedocs.io/en/latest/#apply) to deploy the application (_without dynamic global parameters such as `helmfile.yaml` path and environment name_) | `apply --wait` |

| `delete-args` / `HELMFILE_DELETE_ARGS` | The helmfile [command with options](https://helmfile.readthedocs.io/en/latest/#destroy) to cleanup the application (_without dynamic global parameters such as `helmfile.yaml` path and environment name_) | `destroy` |

| `base-app-name` / `HELMFILE_BASE_APP_NAME` | Base application name                  | `$CI_PROJECT_NAME` ([see GitLab doc](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html)) |

| `base-app-name` / `HELMFILE_BASE_APP_NAME` | Base application name                  | `$CI_PROJECT_NAME` ([see GitLab doc](https://docs.gitlab.com/ci/variables/predefined_variables/)) |

| `environment-url` / `HELMFILE_ENVIRONMENT_URL`    | Default environments url _(only define for static environment URLs declaration)_<br/>_supports late variable expansion (ex: `https://%{environment_name}.helm.acme.com`)_ | _none_ |

| :lock: `HELMFILE_PGP_PRIVATE_KEY_FILE` | PGP Private key for decrypting helmfile secrets (optional) | _none_ |

| :lock: `HELMFILE_PGP_PASSPHRASE` | Passphrase for PGP private key (optional) | _none_ |

| `image-pull-secret-name` / `HELMFILE_IMAGE_PULL_SECRET_NAME` | Name of the `docker-registry` k8s secret that will be created if the special [GitLab deploy token](https://docs.gitlab.com/ee/user/project/deploy_tokens/#gitlab-deploy-token) is available. | `gitlab-registry` |

| `image-pull-secret-name` / `HELMFILE_IMAGE_PULL_SECRET_NAME` | Name of the `docker-registry` k8s secret that will be created if the special [GitLab deploy token](https://docs.gitlab.com/user/project/deploy_tokens/#gitlab-deploy-token) is available. | `gitlab-registry` |

### Review environments configuration

| :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ |

| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | _none_ |

By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.

By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ci/secrets/id_token_authentication/). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.

#### Usage

    },

    {

      "name": "KUBE_NAMESPACE",

      "description": "The default Kubernetes namespace to use. _Leave default if [GitLab Kubernetes integration](https://docs.gitlab.com/ee/user/project/clusters/index.html) is enabled._"

      "description": "The default Kubernetes namespace to use. _Leave default if [GitLab Kubernetes integration](https://docs.gitlab.com/user/project/clusters/) is enabled._"

    },

    {

      "name": "HELMFILE_DEFAULT_KUBE_CONFIG",

    },

    {

      "name": "HELMFILE_IMAGE_PULL_SECRET_NAME",

      "description": "Name of the `docker-registry` k8s secret that will be created if the special [GitLab deploy token](https://docs.gitlab.com/ee/user/project/deploy_tokens/#gitlab-deploy-token) is available.",

      "description": "Name of the `docker-registry` k8s secret that will be created if the special [GitLab deploy token](https://docs.gitlab.com/user/project/deploy_tokens/#gitlab-deploy-token) is available.",

      "default": "gitlab-registry",

      "advanced": true

    }

    {

      "id": "review",

      "name": "Review",

      "description": "Dynamic review environments for your topic branches (see GitLab [Review Apps](https://docs.gitlab.com/ee/ci/review_apps/))",

      "description": "Dynamic review environments for your topic branches (see GitLab [Review Apps](https://docs.gitlab.com/ci/review_apps/))",

      "enable_with": "HELMFILE_REVIEW_ENABLED",

      "variables": [

        {