# Example: argocd-apps/sealed-secrets-app.yaml (in your GitOps repo)
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: sealed-secrets-controller
  # Recommended: Install Sealed Secrets in the Argo CD control plane namespace
  # or a specific namespace for cluster-wide components.
  namespace: sealed-secrets
  # Optional: Add finalizer to ensure resources are deleted cleanly
  annotations:
    # Sync Wave: Higher number syncs later
    argocdj.argoproj.io/sync-wave: "0"
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  project: default # Or your specific Argo CD project
  source:
    repoURL: https://bitnami-labs.github.io/sealed-secrets/ # Sealed Secrets chart repository
    chart: sealed-secrets
    targetRevision: 2.17.2 # Specify the desired chart version (Check for the latest stable version!)
    helm:
      # Manage configuration through values here or via a values file
      values: |
        replicas: 1


  destination:
    server: https://kubernetes.default.svc
    # Target namespace for the Sealed Secrets controller deployment itself
    namespace: sealed-secrets # Or your dedicated 'sealed-secrets' namespace
  syncPolicy:
    automated: # Optional: Enable automatic sync
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true # Creates the namespace if it doesn't exist
      # --- CRITICAL: Address CRD installation order ---
      # If using Option B (Separate CRD Management below), ensure the controller waits for CRDs.
      # - ApplyOutOfSyncOnly=true # Can help prevent flapping if CRDs take time