chore(flux): use cluster-apps patch to set standard HR settings

Author: jfroy

CLAUDE.md

@@ -77,7 +77,8 @@ App-template apps follow the same four-file layout:
 **`helmrelease.yaml` key points:**
 
 - app-template apps: `chartRef.kind: OCIRepository`, name `app-template`, namespace `flux-system`; official-chart apps: `chartRef.kind: OCIRepository` pointing to the upstream OCI registry or `ghcr.io/home-operations/charts-mirror` — fall back to `HelmRepository` only if no OCI source exists
-- Standard boilerplate: `driftDetection.mode: enabled`, `install.remediation.retries: -1`, `upgrade.cleanupOnFail: true`
+- **Do not add install/upgrade/rollback boilerplate** — `kubernetes/cluster/ks.yaml` injects global defaults into every HelmRelease via a nested Kustomization patch: `driftDetection.mode: enabled`, `install.crds: CreateReplace`, `rollback.cleanupOnFail: true`, `upgrade.cleanupOnFail: true`, `upgrade.crds: CreateReplace`, `upgrade.strategy.name: RemediateOnFailure`, `upgrade.remediation.remediateLastFailure: true`, `upgrade.remediation.retries: 2`
+- To opt a HelmRelease out of global defaults (e.g. needs `crds: Skip` or `driftDetection.mode: disabled`), add `labels: { kantai.xyz/no-hr-defaults: "true" }` to the HelmRelease `metadata` and set all required fields explicitly
 - All containers get `reloader.stakater.com/auto: "true"` (restarts on secret change)
 - Security context: `runAsNonRoot: true`, `allowPrivilegeEscalation: false`, `capabilities: {drop: ["ALL"]}`, `readOnlyRootFilesystem: true`
 - Routes use `parentRefs: [{name: envoy-internal, namespace: network}]` for LAN/tailnet-only services, `envoy-external` for public internet

kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml

@@ -23,15 +23,6 @@ spec:
   chartRef:
     kind: OCIRepository
     name: cert-manager
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     cainjector:
       featureGates: CAInjectorMerging=true

kubernetes/apps/cert-manager/trust-manager/app/helmrelease.yaml

@@ -22,15 +22,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: jetstack
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     app:
       metrics:

kubernetes/apps/cnpg-system/cloudnative-pg/app/helmrelease.yaml

@@ -28,19 +28,11 @@ spec:
     kind: OCIRepository
     name: cloudnative-pg
   driftDetection:
-    mode: enabled
     ignore:
       # Ignore "validated" annotation which is not inserted during install
       - paths: ["/metadata/annotations/prometheus-operator-validated"]
         target:
           kind: PrometheusRule
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     monitoring:
       podMonitorEnabled: true

kubernetes/apps/database/influxdb/app/helmrelease.yaml

@@ -10,15 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     controllers:
       influxdb:

kubernetes/apps/default/autobrr/app/helmrelease.yaml

@@ -10,15 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     controllers:
       autobrr:

kubernetes/apps/default/buildkit/app/helmrelease.yaml

@@ -10,13 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     controllers:
       amd64:

kubernetes/apps/default/changedetection/app/helmrelease.yaml

@@ -10,15 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     controllers:
       changedetection:

kubernetes/apps/default/crd-schema-publisher/app/helmrelease.yaml

@@ -23,15 +23,6 @@ spec:
   chartRef:
     kind: OCIRepository
     name: crd-schema-publisher
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     serve:
       enabled: true

kubernetes/apps/default/dawarich/app/helmrelease.yaml

@@ -10,15 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     configMaps:
       dawarich-initdb: