Kubernaut {{ .Chart.AppVersion }} has been installed in namespace {{ .Release.Namespace }}.
{{- if or (include "kubernaut.monitoring.isOCP" .) (eq (.Values.postgresql.variant | default "upstream") "ocp") }}

╔══════════════════════════════════════════════════════════════════════════════╗
║  ⚠️  DEPRECATION WARNING (Issue #848)                                       ║
╠══════════════════════════════════════════════════════════════════════════════╣
║                                                                              ║
║  OpenShift-specific Helm chart paths are DEPRECATED in v1.4 and will be      ║
║  REMOVED in v1.5. This includes:                                             ║
║                                                                              ║
║    - values-ocp.yaml overlay                                                 ║
║    - postgresql.variant: "ocp"                                               ║
║    - OCP service-ca annotations and inject-cabundle ConfigMaps               ║
║    - OCP monitoring RBAC (cluster-monitoring-view bindings)                   ║
║    - OCP auto-detection for Prometheus/AlertManager URLs                     ║
║                                                                              ║
║  MIGRATION: Use the Kubernaut Operator for OpenShift deployments.            ║
║                                                                              ║
║    Docs:  https://jordigilh.github.io/kubernaut-docs/operations/operator/    ║
║    Guide: https://jordigilh.github.io/kubernaut-docs/operations/helm-to-operator/
║                                                                              ║
╚══════════════════════════════════════════════════════════════════════════════╝
{{- end }}

=== Post-Install Verification ===

1. Verify all pods are running:

   kubectl get pods -n {{ .Release.Namespace }}

2. Verify LLM credentials secret exists:

   kubectl get secret {{ .Values.kubernautAgent.llm.credentialsSecretName }} -n {{ .Release.Namespace }}

   If missing, create it with your LLM provider API key:

   kubectl create secret generic {{ .Values.kubernautAgent.llm.credentialsSecretName }} \
     --from-literal=OPENAI_API_KEY=sk-... \
     -n {{ .Release.Namespace }}

   Then restart the Kubernaut Agent to pick it up:

   kubectl rollout restart deployment/kubernaut-agent -n {{ .Release.Namespace }}

3. Check the workflow catalog:

   kubectl port-forward -n {{ .Release.Namespace }} svc/data-storage-service 8080:8080
   curl -s http://localhost:8080/api/v1/workflows | jq '.'

=== Rego Policies ===

Rego policies are required and must be provided at install time:

  --set-file signalprocessing.policies.content=path/to/policy.rego
  --set-file aianalysis.policies.content=path/to/approval.rego

Alternatively, create ConfigMaps manually and reference them:

  --set signalprocessing.policies.existingConfigMap=my-sp-policy
  --set aianalysis.policies.existingConfigMap=my-aa-policy

For reference policies, see: https://github.com/jordigilh/kubernaut-demo-scenarios

=== ActionTypes & RemediationWorkflows ===

The chart does not bundle ActionTypes or RemediationWorkflows.
Deploy your own after install:

  kubectl rollout status deploy/authwebhook -n {{ .Release.Namespace }} --timeout=120s
  kubectl apply -f <your-action-types/> -n {{ .Release.Namespace }}
  kubectl apply -f <your-workflows/> -n {{ .Release.Namespace }}

For demo scenarios, see: https://github.com/jordigilh/kubernaut-demo-scenarios

{{- if and (include "kubernaut.monitoring.prometheus.enabled" .) (or .Values.kubernautAgent.existingSdkConfigMap .Values.kubernautAgent.sdkConfigContent) }}
=== IMPORTANT: Prometheus Configuration ===

You have enabled monitoring.prometheus but are using a custom SDK config
({{ if .Values.kubernautAgent.existingSdkConfigMap }}existingSdkConfigMap: {{ .Values.kubernautAgent.existingSdkConfigMap }}{{ else }}sdkConfigContent{{ end }}).

The chart has created the RBAC bindings and TLS CA volume mounts, and has
configured Prometheus in the agent's config.yaml (tools.prometheus.url).
No additional SDK config changes are needed for Prometheus access.

{{- end }}
=== Monitoring ===

Kubernaut is designed to work with kube-prometheus-stack.
If deployed, configure AlertManager to send alerts to the Gateway:

  receivers:
    - name: kubernaut
      webhook_configs:
        - url: "http://gateway-service.{{ .Release.Namespace }}.svc.cluster.local:8080/api/v1/signals/prometheus"
          send_resolved: true
          http_config:
            bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token

=== Upgrading ===

CRDs are NOT upgraded automatically by `helm upgrade`. To update CRDs:

   helm pull oci://quay.io/kubernaut-ai/charts/kubernaut --version <new-version> --untar
   kubectl apply --server-side --force-conflicts -f kubernaut/crds/

Run this BEFORE `helm upgrade` when CRD schemas have changed between versions.

{{- if eq .Values.tls.mode "hook" }}
TLS mode: hook (self-signed certificates via Helm hooks).
Certificates are automatically renewed during upgrade if they expire within 30 days.
{{- else if eq .Values.tls.mode "cert-manager" }}
TLS mode: cert-manager (certificates managed by cert-manager).
The authwebhook-cert Certificate resource provisions the authwebhook-tls Secret.
cert-manager handles renewal automatically.
{{- else if eq .Values.tls.mode "manual" }}
TLS mode: manual (user-managed certificates).
You must create the authwebhook-tls Secret (type kubernetes.io/tls) and patch the
MutatingWebhookConfiguration and ValidatingWebhookConfiguration with the CA bundle:

   CA_B64=$(kubectl get secret authwebhook-tls -n {{ .Release.Namespace }} \
     -o jsonpath='{.data.ca\.crt}' 2>/dev/null || \
     kubectl get configmap authwebhook-ca -n {{ .Release.Namespace }} \
     -o go-template='{{"{{"}}.data.ca\.crt{{"}}"}}' | base64 | tr -d '\n')

   kubectl patch mutatingwebhookconfigurations authwebhook-mutating --type=json \
     -p "[{\"op\":\"add\",\"path\":\"/webhooks/0/clientConfig/caBundle\",\"value\":\"${CA_B64}\"}]"
{{- end }}

=== Uninstalling ===

   helm uninstall {{ .Release.Name }} -n {{ .Release.Namespace }}

IMPORTANT -- Data Retention:
  - PostgreSQL and Valkey PVCs are RETAINED after uninstall (helm.sh/resource-policy: keep).
    To remove them manually:

      kubectl delete pvc postgresql-data valkey-data -n {{ .Release.Namespace }}

  - CRDs and their data are NOT removed. To delete all Kubernaut CRDs:

      kubectl delete crd $(kubectl get crd -o name | grep kubernaut.ai)

  - The {{ include "kubernaut.workflowNamespace" . }} namespace may contain active Jobs or PipelineRuns.
    Verify it is empty or clean up before uninstalling if it gets stuck:

      kubectl get jobs -n {{ include "kubernaut.workflowNamespace" . }}

=== Known Limitations ===

  - Single installation per cluster: cluster-scoped resources (ClusterRoles,
    WebhookConfigurations) use static names and will conflict if multiple
    releases are installed in different namespaces.
