fix(infra): Reference .env variables in Helm values and Terraform backend

1. Helm values.yaml - MinIO credentials
   - Updated comments to document using .env variables (MINIO_ROOT_USER, MINIO_ROOT_PASSWORD)
   - Added usage examples with --set flags and envsubst approach
   - Values should be set from .env via helm install --set flags

2. Terraform backend.tf
   - Added comprehensive documentation for using environment variables
   - Documented partial backend configuration approach
   - Added comments showing how to override with TF_BACKEND_* env vars
   - Added environment variables to env.example for Terraform backend config

Both files now properly reference .env file variables and provide clear
documentation on how to use them during deployment.

Author: manavgup

deployment/helm/rag-modulo/values.yaml

@@ -265,12 +265,23 @@ minio:
       memory: 1Gi
   # Credentials (stored in Secret)
   # ⚠️ SECURITY: Credentials MUST be explicitly set or use existingSecret
-  # Option 1: Set rootUser and rootPassword explicitly
+  # These values should be set from .env file (MINIO_ROOT_USER, MINIO_ROOT_PASSWORD)
+  # 
+  # Usage with .env file:
+  #   source .env
+  #   helm install rag-modulo . \
+  #     --set minio.auth.rootUser=${MINIO_ROOT_USER} \
+  #     --set minio.auth.rootPassword=${MINIO_ROOT_PASSWORD}
+  #
+  # Or use envsubst (requires values.yaml to use ${MINIO_ROOT_USER} syntax):
+  #   envsubst < values.yaml > values-substituted.yaml
+  #   helm install rag-modulo . -f values-substituted.yaml
+  #
   # Option 2: Use existingSecret (recommended for production)
   # Both cannot be empty - validation will fail if neither is provided
   auth:
-    rootUser: "" # REQUIRED: Set to secure value or use existingSecret
-    rootPassword: "" # REQUIRED: Set to secure value or use existingSecret
+    rootUser: "" # REQUIRED: Set from .env MINIO_ROOT_USER via --set or use existingSecret
+    rootPassword: "" # REQUIRED: Set from .env MINIO_ROOT_PASSWORD via --set or use existingSecret
     existingSecret: "" # If set, uses this secret instead of rootUser/rootPassword
 
 # ============================================================================

deployment/terraform/backend.tf

@@ -1,14 +1,32 @@
 # Terraform Backend Configuration
 # This file configures the remote state backend using IBM Cloud Object Storage
+#
+# NOTE: Terraform backend blocks cannot use variables directly.
+# For dynamic configuration, use partial backend configuration:
+#   terraform init -backend-config="bucket=${TF_BACKEND_BUCKET}" \
+#                  -backend-config="region=${TF_BACKEND_REGION}" \
+#                  -backend-config="endpoint=${TF_BACKEND_ENDPOINT}"
+#
+# Environment variables (set in .env):
+#   TF_BACKEND_ENDPOINT - S3 endpoint (default: s3.us-south.cloud-object-storage.appdomain.cloud)
+#   TF_BACKEND_BUCKET - State bucket name (default: rag-modulo-terraform-state)
+#   TF_BACKEND_REGION - Region (default: us-south)
+#   TF_BACKEND_KEY - State file key (default: ibm/environments/terraform.tfstate)
+#
+# For local development, use the local backend (uncomment at bottom)
 
 terraform {
   backend "s3" {
     # IBM Cloud Object Storage S3-compatible endpoint
+    # Override via: -backend-config="endpoint=${TF_BACKEND_ENDPOINT}"
     endpoint = "s3.us-south.cloud-object-storage.appdomain.cloud"
 
     # Bucket configuration
+    # Override via: -backend-config="bucket=${TF_BACKEND_BUCKET}"
     bucket = "rag-modulo-terraform-state"
+    # Override via: -backend-config="key=${TF_BACKEND_KEY}"
     key    = "ibm/environments/terraform.tfstate"
+    # Override via: -backend-config="region=${TF_BACKEND_REGION}"
     region = "us-south"
 
     # Enable versioning and encryption

env.example

@@ -168,6 +168,12 @@ WATSONX_INSTANCE_ID=your-watsonx-instance-id
 # Milvus Configuration (Required for vector database)
 MILVUS_PORT=19530
 
+# Terraform Backend Configuration (Optional - for remote state management)
+# These are used when initializing Terraform with partial backend config
+# TF_BACKEND_ENDPOINT=s3.us-south.cloud-object-storage.appdomain.cloud
+# TF_BACKEND_BUCKET=rag-modulo-terraform-state
+# TF_BACKEND_REGION=us-south
+# TF_BACKEND_KEY=ibm/environments/terraform.tfstate
 
 # =============================================================================
 # DEVELOPMENT SETUP INSTRUCTIONS