#!/usr/bin/env fish # Purpose: "Nuclear" reconcile for a target KS/HR by disabling gates, forcing update, then (optionally) restoring. # Defaults (edit if you want different names/namespaces) set -gx KS_NAME "vault" set -gx KS_NS "flux-system" set -gx HR_NAME "vault" set -gx HR_NS "vault" set -gx GIT_SRC "flux-system" # GitRepository name set -gx SRC_NS "flux-system" # Namespace for sources (Git/Helm) set -gx HELM_REPO "hashicorp" # HelmRepository name # Behavior flags set -gx RESTORE "no" if test (count $argv) -gt 0 if test "$argv[1]" = "--restore" set RESTORE "yes" end end function info; printf "► %s\n" $argv; end function ok; printf "✔ %s\n" $argv; end function warn; printf "⚠ %s\n" $argv; end info "Flux: "(flux -v) info "Kube context: "(kubectl config current-context) # --- 0) Preflight & backups --------------------------------------------------- mkdir -p /tmp/flux-hammer set KS_BAK "/tmp/flux-hammer/ks-$KS_NS-$KS_NAME.yaml" set HR_BAK "/tmp/flux-hammer/hr-$HR_NS-$HR_NAME.yaml" kubectl -n $KS_NS get kustomization $KS_NAME -o yaml > $KS_BAK 2>/dev/null; or true kubectl -n $HR_NS get helmrelease $HR_NAME -o yaml > $HR_BAK 2>/dev/null; or true ok "Backed up current specs to $KS_BAK and $HR_BAK" # --- 1) Suspend --------------------------------------------------------------- info "Suspending Kustomization $KS_NS/$KS_NAME and HelmRelease $HR_NS/$HR_NAME" flux suspend kustomization $KS_NAME -n $KS_NS; or true flux suspend helmrelease $HR_NAME -n $HR_NS; or true ok "Suspended (best-effort)" # --- 2) Patch Kustomization: turn off waits/health & enable force ------------- info "Patching Kustomization (force=true, wait=false)" kubectl -n $KS_NS patch kustomization $KS_NAME --type merge \ -p '{"spec":{"force":true,"wait":false}}'; or true # Remove healthChecks if present set HAS_HC (kubectl -n $KS_NS get kustomization $KS_NAME -o json | jq -r '((.spec // {}) | has("healthChecks"))') if test "$HAS_HC" = "true" info "Removing .spec.healthChecks from Kustomization" kubectl -n $KS_NS patch kustomization $KS_NAME --type json \ -p='[{"op":"remove","path":"/spec/healthChecks"}]'; or true else ok "No .spec.healthChecks present" end # --- 3) Patch HelmRelease: disable waits/tests & stop auto-remediation -------- info "Patching HelmRelease (disable waits & retries)" kubectl -n $HR_NS patch helmrelease $HR_NAME --type merge -p \ '{ "spec": { "install": { "disableWait": true, "remediation": { "retries": 0 } }, "upgrade": { "disableWait": true, "remediation": { "retries": 0 } }, "rollback": { "disableWait": true }, "test": { "enable": false } } }'; or true # --- 4) Reconcile sources (Git & Helm repo) ---------------------------------- info "Reconciling sources" flux reconcile source git $GIT_SRC -n $SRC_NS --timeout=2m; or true flux reconcile source helm $HELM_REPO -n $SRC_NS --timeout=2m; or true ok "Sources reconciled (best-effort)" # --- 5) Resume and force reconciles ------------------------------------------ info "Resuming Kustomization and HelmRelease" flux resume kustomization $KS_NAME -n $KS_NS; or true flux resume helmrelease $HR_NAME -n $HR_NS; or true info "Reconciling Kustomization with source (no waits)" flux reconcile kustomization $KS_NAME -n $KS_NS --with-source --timeout=10m; or true info "FORCING HelmRelease reconcile (no waits)" flux reconcile helmrelease $HR_NAME -n $HR_NS --timeout=10m --force; or true # --- 6) Optional restore of original specs ----------------------------------- if test "$RESTORE" = "yes" info "Restoring original specs and reconciling" if test -s $KS_BAK kubectl apply -f $KS_BAK; and flux reconcile kustomization $KS_NAME -n $KS_NS --timeout=5m; or true end if test -s $HR_BAK kubectl apply -f $HR_BAK; and flux reconcile helmrelease $HR_NAME -n $HR_NS --timeout=5m; or true end ok "Restored and reconciled" else warn "Not restoring original specs (you ran without --restore). Gates remain off until you change them back." end # --- 7) Show status ----------------------------------------------------------- info "Current filtered status:" flux get kustomizations | grep -E "(NAME|^$KS_NAME\s)"; or true flux get helmreleases -A | grep -E "(NAMESPACE|^$HR_NS\s+$HR_NAME\s)"; or true