theshire/kubernetes/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml

101 lines
3.2 KiB
YAML

---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: &app system-upgrade-controller
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 3.5.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
strategy: rollback
retries: 3
values:
controllers:
system-upgrade-controller:
strategy: RollingUpdate
containers:
app:
image:
repository: docker.io/rancher/system-upgrade-controller
tag: v0.14.2@sha256:3cdbfdd90f814702cefb832fc4bdb09ea93865a4d06c6bafd019d1dc6a9f34c9
env:
SYSTEM_UPGRADE_CONTROLLER_DEBUG: false
SYSTEM_UPGRADE_CONTROLLER_THREADS: 2
SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS: 900
SYSTEM_UPGRADE_JOB_BACKOFF_LIMIT: 99
SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY: IfNotPresent
SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: registry.k8s.io/kubectl:v1.31.1
SYSTEM_UPGRADE_JOB_POD_REPLACEMENT_POLICY: Failed
SYSTEM_UPGRADE_JOB_PRIVILEGED: true
SYSTEM_UPGRADE_JOB_TTL_SECONDS_AFTER_FINISH: 900
SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL: 15m
SYSTEM_UPGRADE_CONTROLLER_NAME: *app
SYSTEM_UPGRADE_CONTROLLER_NAMESPACE:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities: { drop: ["ALL"] }
seccompProfile:
type: RuntimeDefault
defaultPodOptions:
securityContext:
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
seccompProfile: { type: RuntimeDefault }
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: Exists
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
serviceAccount:
create: true
name: system-upgrade
persistence:
tmp:
type: emptyDir
etc-ssl:
type: hostPath
hostPath: /etc/ssl
hostPathType: DirectoryOrCreate
globalMounts:
- readOnly: true
etc-pki:
type: hostPath
hostPath: /etc/pki
hostPathType: DirectoryOrCreate
globalMounts:
- readOnly: true
etc-ca-certificates:
type: hostPath
hostPath: /etc/ca-certificates
hostPathType: DirectoryOrCreate
globalMounts:
- readOnly: true