---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: &app system-upgrade-controller
spec:
  interval: 30m
  chart:
    spec:
      chart: app-template
      version: 3.5.1
      sourceRef:
        kind: HelmRepository
        name: bjw-s
        namespace: flux-system
  install:
    remediation:
      retries: 3
  upgrade:
    cleanupOnFail: true
    remediation:
      strategy: rollback
      retries: 3
  values:
    controllers:
      system-upgrade-controller:
        strategy: RollingUpdate
        containers:
          app:
            image:
              repository: docker.io/rancher/system-upgrade-controller
              tag: v0.14.1@sha256:7e13a9b2b984f0c0fd6328439b575348723cc6954b91db3453057fcb784e2d29
            env:
              SYSTEM_UPGRADE_CONTROLLER_DEBUG: false
              SYSTEM_UPGRADE_CONTROLLER_THREADS: 2
              SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS: 900
              SYSTEM_UPGRADE_JOB_BACKOFF_LIMIT: 99
              SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY: IfNotPresent
              SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: registry.k8s.io/kubectl:v1.31.1
              SYSTEM_UPGRADE_JOB_POD_REPLACEMENT_POLICY: Failed
              SYSTEM_UPGRADE_JOB_PRIVILEGED: true
              SYSTEM_UPGRADE_JOB_TTL_SECONDS_AFTER_FINISH: 900
              SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL: 15m
              SYSTEM_UPGRADE_CONTROLLER_NAME: *app
              SYSTEM_UPGRADE_CONTROLLER_NAMESPACE:
                valueFrom:
                  fieldRef:
                    fieldPath: metadata.namespace
            securityContext:
              allowPrivilegeEscalation: false
              readOnlyRootFilesystem: true
              capabilities: { drop: ["ALL"] }
              seccompProfile:
                type: RuntimeDefault
    defaultPodOptions:
      securityContext:
        runAsNonRoot: true
        runAsUser: 65534
        runAsGroup: 65534
        seccompProfile: { type: RuntimeDefault }
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: node-role.kubernetes.io/control-plane
                    operator: Exists
      tolerations:
        - key: CriticalAddonsOnly
          operator: Exists
        - key: node-role.kubernetes.io/control-plane
          operator: Exists
          effect: NoSchedule
        - key: node-role.kubernetes.io/master
          operator: Exists
          effect: NoSchedule
    serviceAccount:
      create: true
      name: system-upgrade
    persistence:
      tmp:
        type: emptyDir
      etc-ssl:
        type: hostPath
        hostPath: /etc/ssl
        hostPathType: DirectoryOrCreate
        globalMounts:
          - readOnly: true
      etc-pki:
        type: hostPath
        hostPath: /etc/pki
        hostPathType: DirectoryOrCreate
        globalMounts:
          - readOnly: true
      etc-ca-certificates:
        type: hostPath
        hostPath: /etc/ca-certificates
        hostPathType: DirectoryOrCreate
        globalMounts:
          - readOnly: true