# Example: argocd-apps/sealed-secrets-app.yaml (in your GitOps repo)
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: sealed-secrets-controller
  # Recommended: Install Sealed Secrets in the Argo CD control plane namespace
  # or a specific namespace for cluster-wide components.
  namespace: sealed-secrets
  # Optional: Add finalizer to ensure resources are deleted cleanly
  annotations:
    # Sync Wave: Higher number syncs later
    argocdj.argoproj.io/sync-wave: "0"
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  project: default # Or your specific Argo CD project
  source:
    repoURL: https://bitnami-labs.github.io # Sealed Secrets chart repository
    chart: sealed-secrets
    targetRevision: v2.17.2 # Specify the desired chart version (Check for the latest stable version!)
    helm:
      # Manage configuration through values here or via a values file
      values: |
        # Example: Increase replicas for HA (if needed)
        # replicas: 2

        # Example: Add resource requests/limits
        # resources:
        #   requests:
        #     cpu: 100m
        #     memory: 128Mi
        #   limits:
        #     cpu: 200m
        #     memory: 256Mi

        # -- CRITICAL: Decide on CRD management ---
        # Option A (Let Helm manage CRDs - Simpler setup, potential issues on Helm upgrades/uninstall):
        # installCRDs: true # This flag might exist in some chart versions, check chart docs.
                           # If not, Helm might install CRDs in templates/crds/ by default.

        # Option B (Recommended by Argo CD for CRDs - Manage CRDs Separately):
        # Ensure CRDs are NOT managed by this Helm chart application.
        # You would typically manage CRDs using a separate Argo CD Application
        # with Sync Waves or apply them manually *before* this app syncs.
        # Check the specific chart version's values.yaml for a flag like `crds.create` or similar and set it to `false`.
        # If no such flag, Helm <3.x might still install them from templates/crds.
        # Let's assume for newer charts you might need to ensure no explicit installCRDs=true is set
        # and rely on the separate management described below.

      # Optional: Use a separate values file from your Git repo
      # valueFiles:
      #  - values/sealed-secrets-values.yaml
  destination:
    server: https://kubernetes.default.svc
    # Target namespace for the Sealed Secrets controller deployment itself
    namespace: sealed-secrets # Or your dedicated 'sealed-secrets' namespace
  syncPolicy:
    automated: # Optional: Enable automatic sync
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true # Creates the namespace if it doesn't exist
      # --- CRITICAL: Address CRD installation order ---
      # If using Option B (Separate CRD Management below), ensure the controller waits for CRDs.
      # - ApplyOutOfSyncOnly=true # Can help prevent flapping if CRDs take time