From 4635d3b8269336fbc7e75dcb10ca29ec3cff7cdf Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sat, 14 Mar 2026 12:04:07 +0000
Subject: [PATCH] remember: CrowdSec Helm upgrade timeout [ci skip]

---
 .claude/CLAUDE.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md
index 968016df..40d0c6c2 100755
--- a/.claude/CLAUDE.md
+++ b/.claude/CLAUDE.md
@@ -18,6 +18,9 @@
 - **Node memory changes**: When changing VM memory on any k8s node, update kubelet `systemReserved`, `kubeReserved`, and eviction thresholds accordingly. Config: `/var/lib/kubelet/config.yaml`. Template: `stacks/infra/main.tf`. Current values: systemReserved=512Mi, kubeReserved=512Mi, evictionHard=500Mi, evictionSoft=1Gi.
 - **Sealed Secrets**: User-managed secrets go in `sealed-*.yaml` files in the stack directory. Stacks pick them up via `kubernetes_manifest` + `fileset(path.module, "sealed-*.yaml")`. See AGENTS.md for full workflow.
 
+## Known Issues
+- **CrowdSec Helm upgrade times out**: `terragrunt apply` on platform stack causes CrowdSec Helm release to get stuck in `pending-upgrade`. Workaround: `helm rollback crowdsec <rev> -n crowdsec`. Root cause: likely ResourceQuota CPU at 302% preventing pods from passing readiness probes. Needs investigation.
+
 ## User Preferences
 - **Calendar**: Nextcloud at `nextcloud.viktorbarzin.me`
 - **Home Assistant**: ha-london (default), ha-sofia. "ha"/"HA" = ha-london