jfroy · jfroy · May 15, 2026 · May 14, 2026
@@ -77,7 +77,8 @@ App-template apps follow the same four-file layout:
 **`helmrelease.yaml` key points:**
 
 - app-template apps: `chartRef.kind: OCIRepository`, name `app-template`, namespace `flux-system`; official-chart apps: `chartRef.kind: OCIRepository` pointing to the upstream OCI registry or `ghcr.io/home-operations/charts-mirror` — fall back to `HelmRepository` only if no OCI source exists
-- Standard boilerplate: `driftDetection.mode: enabled`, `install.remediation.retries: -1`, `upgrade.cleanupOnFail: true`
+- **Do not add install/upgrade/rollback boilerplate** — `kubernetes/cluster/ks.yaml` injects global defaults into every HelmRelease via a nested Kustomization patch: `driftDetection.mode: enabled`, `install.crds: CreateReplace`, `rollback.cleanupOnFail: true`, `upgrade.cleanupOnFail: true`, `upgrade.crds: CreateReplace`, `upgrade.strategy.name: RemediateOnFailure`, `upgrade.remediation.remediateLastFailure: true`, `upgrade.remediation.retries: 2`
+- To opt a HelmRelease out of global defaults (e.g. needs `crds: Skip` or `driftDetection.mode: disabled`), add `labels: { kantai.xyz/no-hr-defaults: "true" }` to the HelmRelease `metadata` and set all required fields explicitly
 - All containers get `reloader.stakater.com/auto: "true"` (restarts on secret change)
 - Security context: `runAsNonRoot: true`, `allowPrivilegeEscalation: false`, `capabilities: {drop: ["ALL"]}`, `readOnlyRootFilesystem: true`
 - Routes use `parentRefs: [{name: envoy-internal, namespace: network}]` for LAN/tailnet-only services, `envoy-external` for public internet

@@ -23,15 +23,6 @@ spec:
   chartRef:
     kind: OCIRepository
     name: cert-manager
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     cainjector:
       featureGates: CAInjectorMerging=true

@@ -22,15 +22,6 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: jetstack
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     app:
       metrics:

@@ -28,19 +28,11 @@ spec:
     kind: OCIRepository
     name: cloudnative-pg
   driftDetection:
-    mode: enabled
     ignore:
       # Ignore "validated" annotation which is not inserted during install
       - paths: ["/metadata/annotations/prometheus-operator-validated"]
         target:
           kind: PrometheusRule
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     monitoring:
       podMonitorEnabled: true

@@ -10,15 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     controllers:
       influxdb:

@@ -10,15 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     controllers:
       autobrr:

@@ -10,13 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     controllers:
       amd64:

@@ -10,15 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     controllers:
       changedetection:

@@ -23,15 +23,6 @@ spec:
   chartRef:
     kind: OCIRepository
     name: crd-schema-publisher
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     serve:
       enabled: true

@@ -10,15 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     configMaps:
       dawarich-initdb:

@@ -10,15 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     controllers:
       docker-registry-ui:

@@ -10,15 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     controllers:
       docling:

@@ -10,13 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     defaultPodOptions:
       securityContext:

@@ -10,15 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     controllers:
       gluetun-update:

@@ -10,15 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     controllers:
       grimmory:

@@ -10,15 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     controllers:
       homebox:

@@ -10,15 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     controllers:
       homepage:

@@ -10,15 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     controllers:
       hypermind:

@@ -10,15 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     controllers:
       machine-learning:

@@ -10,15 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     controllers:
       immichframe:

@@ -10,15 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     controllers:
       valkey:

@@ -10,13 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     controllers:
       jellyfin:

@@ -10,15 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     controllers:
       browserless:

@@ -10,15 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     controllers:
       komga:

@@ -10,15 +10,6 @@ spec:
     kind: OCIRepository
     name: app-template
     namespace: flux-system
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: -1
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
   values:
     controllers:
       mealie: