From 0b9079f96782893b75aa2645aee23bcd00bb6a67 Mon Sep 17 00:00:00 2001
From: Nikolai Emil Damm <nikolaiemildamm@icloud.com>
Date: Fri, 29 May 2026 07:55:18 +0200
Subject: [PATCH] fix(ci): raise local infrastructure Flux timeout to 20m for
 vault-config bootstrap
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The vault-config Job in k8s/bases/infrastructure/vault-config/job.yaml
bootstraps OpenBao (KV engine, Kubernetes auth, policies, roles) and is
depended on intra-Kustomization by every consumer of the 'openbao'
ClusterSecretStore — the ExternalSecrets and vault-seed PushSecrets in
the same 'infrastructure' Flux Kustomization. On cold Docker CI runners
the Job legitimately needs longer than the 3m base health-check budget
(the Job's own activeDeadlineSeconds is 3600s by design), causing
HealthCheckFailed flakes:

  Kustomization/flux-system/infrastructure — health check failed after
  3m0.4s: timeout waiting for: [Job/openbao/vault-config status:
  'InProgress'] (HealthCheckFailed)

(observed on PR #1636 system-test run 26603473269; the PR itself only
touched homepage/headlamp/actual-budget HelmReleases.)

Patch the local cluster overlay's 'infrastructure' Kustomization
timeout to 20m, matching prod's existing patch value for the same
Kustomization and following the established overlay-patch pattern in
this repo (local already patches apps->20m and
infrastructure-controllers->12m for the same cold-Docker-CI rationale).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 k8s/clusters/local/kustomization.yaml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/k8s/clusters/local/kustomization.yaml b/k8s/clusters/local/kustomization.yaml
index ae2dea735..37baeeb62 100644
--- a/k8s/clusters/local/kustomization.yaml
+++ b/k8s/clusters/local/kustomization.yaml
@@ -38,6 +38,24 @@ patches:
         namespace: flux-system
       spec:
         timeout: 12m
+  # The vault-config Job co-located in the infrastructure layer (see
+  # bases/infrastructure/vault-config/job.yaml) bootstraps OpenBao —
+  # KV engine, Kubernetes auth, policies, roles — and is depended on
+  # intra-Kustomization by the openbao ClusterSecretStore consumers
+  # (ExternalSecrets, vault-seed PushSecrets). On cold Docker CI runners
+  # the Job legitimately takes longer than the 3m base health-check
+  # budget, which caused system-test flakes (see PR #1636 run
+  # 26603473269: `[Job/openbao/vault-config status: 'InProgress']
+  # (HealthCheckFailed)`). The Job's own activeDeadlineSeconds is 3600s.
+  # 20m mirrors the prod patch value for the same Kustomization.
+  - patch: |
+      apiVersion: kustomize.toolkit.fluxcd.io/v1
+      kind: Kustomization
+      metadata:
+        name: infrastructure
+        namespace: flux-system
+      spec:
+        timeout: 20m
 
 replacements:
   # Point apps / infrastructure / infrastructure-controllers Flux Kustomizations