102 lines
3.2 KiB
YAML
102 lines
3.2 KiB
YAML
|
---
|
||
|
|
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
|
||
|
|
apiVersion: helm.toolkit.fluxcd.io/v2
|
||
|
|
kind: HelmRelease
|
||
|
|
metadata:
|
||
|
|
name: &app system-upgrade-controller
|
||
|
|
spec:
|
||
|
|
interval: 30m
|
||
|
|
chart:
|
||
|
|
spec:
|
||
|
|
chart: app-template
|
||
|
|
version: 3.5.1
|
||
|
|
sourceRef:
|
||
|
|
kind: HelmRepository
|
||
|
|
name: bjw-s
|
||
|
|
namespace: flux-system
|
||
|
|
install:
|
||
|
|
remediation:
|
||
|
|
retries: 3
|
||
|
|
upgrade:
|
||
|
|
cleanupOnFail: true
|
||
|
|
remediation:
|
||
|
|
strategy: rollback
|
||
|
|
retries: 3
|
||
|
|
values:
|
||
|
|
controllers:
|
||
|
|
system-upgrade-controller:
|
||
|
|
strategy: RollingUpdate
|
||
|
|
containers:
|
||
|
|
app:
|
||
|
|
image:
|
||
|
|
repository: docker.io/rancher/system-upgrade-controller
|
||
|
|
tag: v0.14.1@sha256:7e13a9b2b984f0c0fd6328439b575348723cc6954b91db3453057fcb784e2d29
|
||
|
|
env:
|
||
|
|
SYSTEM_UPGRADE_CONTROLLER_DEBUG: false
|
||
|
|
SYSTEM_UPGRADE_CONTROLLER_THREADS: 2
|
||
|
|
SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS: 900
|
||
|
|
SYSTEM_UPGRADE_JOB_BACKOFF_LIMIT: 99
|
||
|
|
SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY: IfNotPresent
|
||
|
|
SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: registry.k8s.io/kubectl:v1.31.1
|
||
|
|
SYSTEM_UPGRADE_JOB_POD_REPLACEMENT_POLICY: Failed
|
||
|
|
SYSTEM_UPGRADE_JOB_PRIVILEGED: true
|
||
|
|
SYSTEM_UPGRADE_JOB_TTL_SECONDS_AFTER_FINISH: 900
|
||
|
|
SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL: 15m
|
||
|
|
SYSTEM_UPGRADE_CONTROLLER_NAME: *app
|
||
|
|
SYSTEM_UPGRADE_CONTROLLER_NAMESPACE:
|
||
|
|
valueFrom:
|
||
|
|
fieldRef:
|
||
|
|
fieldPath: metadata.namespace
|
||
|
|
securityContext:
|
||
|
|
allowPrivilegeEscalation: false
|
||
|
|
readOnlyRootFilesystem: true
|
||
|
|
capabilities: { drop: ["ALL"] }
|
||
|
|
seccompProfile:
|
||
|
|
type: RuntimeDefault
|
||
|
|
defaultPodOptions:
|
||
|
|
securityContext:
|
||
|
|
runAsNonRoot: true
|
||
|
|
runAsUser: 65534
|
||
|
|
runAsGroup: 65534
|
||
|
|
seccompProfile: { type: RuntimeDefault }
|
||
|
|
affinity:
|
||
|
|
nodeAffinity:
|
||
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||
|
|
nodeSelectorTerms:
|
||
|
|
- matchExpressions:
|
||
|
|
- key: node-role.kubernetes.io/control-plane
|
||
|
|
operator: Exists
|
||
|
|
tolerations:
|
||
|
|
- key: CriticalAddonsOnly
|
||
|
|
operator: Exists
|
||
|
|
- key: node-role.kubernetes.io/control-plane
|
||
|
|
operator: Exists
|
||
|
|
effect: NoSchedule
|
||
|
|
- key: node-role.kubernetes.io/master
|
||
|
|
operator: Exists
|
||
|
|
effect: NoSchedule
|
||
|
|
serviceAccount:
|
||
|
|
create: true
|
||
|
|
name: system-upgrade
|
||
|
|
persistence:
|
||
|
|
tmp:
|
||
|
|
type: emptyDir
|
||
|
|
etc-ssl:
|
||
|
|
type: hostPath
|
||
|
|
hostPath: /etc/ssl
|
||
|
|
hostPathType: DirectoryOrCreate
|
||
|
|
globalMounts:
|
||
|
|
- readOnly: true
|
||
|
|
etc-pki:
|
||
|
|
type: hostPath
|
||
|
|
hostPath: /etc/pki
|
||
|
|
hostPathType: DirectoryOrCreate
|
||
|
|
globalMounts:
|
||
|
|
- readOnly: true
|
||
|
|
etc-ca-certificates:
|
||
|
|
type: hostPath
|
||
|
|
hostPath: /etc/ca-certificates
|
||
|
|
hostPathType: DirectoryOrCreate
|
||
|
|
globalMounts:
|
||
|
|
- readOnly: true
|