Refactor noble.yml playbook to apply Argo CD Application manifests after all Helm roles, ensuring proper resource ownership and avoiding SSA conflicts. Update related documentation to reflect the new execution order and clarify the role of Argo CD in the deployment process.

ansible/playbooks/noble.yml

@@ -4,7 +4,8 @@
 # Run from repo **ansible/** directory:  ansible-playbook playbooks/noble.yml
 #
 # Tags: repos, cilium, csi_snapshot, metrics, longhorn, metallb, kube_vip, traefik, cert_manager, newt,
-#       argocd, kyverno, kyverno_policies, platform, authentik, trivy, velero, all (default)
+#       argocd, kyverno, kyverno_policies, platform, authentik, trivy, velero, landing, all (default)
+# Argo leaf **Application** CRs are applied in play **tasks:** after **noble_velero** (Ansible Helm first, then GitOps).
 - name: Noble cluster — platform stack (Ansible-managed)
   hosts: localhost
   connection: local
@@ -234,5 +235,17 @@
       tags: [trivy, security, scanning]
     - role: noble_velero
       tags: [velero, backups]
-    - role: noble_landing_urls
-      tags: [landing, platform, observability, apps]
+
+  tasks:
+    # Leaf Application CRs must exist only after all Ansible Helm in this play (platform, authentik, trivy, …)
+    # so argocd-controller does not SSA resources before Helm owns them; then Argo can take over (manual → auto).
+    - name: Apply Argo CD root / bootstrap / leaf Application manifests (post–Ansible Helm)
+      ansible.builtin.include_role:
+        name: noble_argocd
+        tasks_from: applications_post_platform
+      tags: [argocd, gitops, platform, apps, observability, all]
+
+    - name: Noble landing URLs (+ optional token fetch)
+      ansible.builtin.include_role:
+        name: noble_landing_urls
+      tags: [landing, platform, observability, apps, all]