Refactor noble.yml playbook to apply Argo CD Application manifests after all Helm roles, ensuring proper resource ownership and avoiding SSA conflicts. Update related documentation to reflect the new execution order and clarify the role of Argo CD in the deployment process.

2026-05-14 16:46:45 -04:00
parent 1a50599cb4
commit 1e6d84f0f3
8 changed files with 82 additions and 21 deletions
--- a/ansible/roles/noble_argocd/tasks/applications_post_platform.yml
+++ b/ansible/roles/noble_argocd/tasks/applications_post_platform.yml
@@ -1,6 +1,7 @@
 ---
-# Run after **noble_platform** Helm + `kubectl apply -k clusters/noble/bootstrap` so leaf **Application**
-# CRs are not reconciled by Argo before **helm upgrade** (avoids SSA conflicts with **argocd-controller**).
+# Run from **ansible/playbooks/noble.yml** *after* roles **noble_platform**, **noble_authentik**, **noble_trivy**,
+# **noble_velero** (see play **tasks:**). Leaf **Application** CRs must not be reconciled before Ansible Helm
+# finishes, or **argocd-controller** can SSA resources without Helm release metadata (e.g. Trivy ServiceAccount).
 - name: Apply Argo CD root Application (app-of-apps)
  ansible.builtin.command:
    argv:
--- a/ansible/roles/noble_platform/tasks/main.yml
+++ b/ansible/roles/noble_platform/tasks/main.yml
@@ -218,8 +218,3 @@
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  changed_when: true
-
- name: Argo CD — apply Application manifests after platform Helm
-  ansible.builtin.include_role:
-    name: noble_argocd
-    tasks_from: applications_post_platform
--- a/ansible/roles/noble_post_deploy/tasks/main.yml
+++ b/ansible/roles/noble_post_deploy/tasks/main.yml
@@ -9,8 +9,9 @@
 - name: Argo CD optional root Application (empty app-of-apps)
  ansible.builtin.debug:
    msg: >-
-      App-of-apps: after **noble_platform**, noble.yml runs **noble_argocd** `applications_post_platform.yml`:
-      root-application.yaml when noble_argocd_apply_root_application is true; bootstrap-root + **kubectl apply -k
-      argocd/app-of-apps** when noble_argocd_apply_bootstrap_root_application is true (inventory/group_vars/all.yml).
+      App-of-apps: at the **end** of **noble.yml** (after **noble_platform**, **noble_authentik**, **noble_trivy**,
+      **noble_velero**), **noble_argocd** `applications_post_platform.yml` runs: root-application.yaml when
+      noble_argocd_apply_root_application is true; bootstrap-root + **kubectl apply -k argocd/app-of-apps**
+      when noble_argocd_apply_bootstrap_root_application is true (inventory/group_vars/all.yml).
      noble-bootstrap-root uses manual sync until you enable automation after the playbook —
      clusters/noble/bootstrap/argocd/README.md §5. See clusters/noble/apps/README.md and that README.
--- a/ansible/roles/noble_trivy/tasks/main.yml
+++ b/ansible/roles/noble_trivy/tasks/main.yml
@@ -1,4 +1,55 @@
 ---
+# Argo CD (Helm source + SSA) or raw kubectl can leave Trivy objects without **meta.helm.sh/** ownership.
+# Namespace-scoped resources go away when **trivy-system** is deleted; **ClusterRole** / **ClusterRoleBinding** /
+# **ClusterComplianceReport** do not. If there is no Helm release **trivy-operator**, reset namespace + cluster scope
+# so **helm upgrade --install** can adopt cleanly.
+- name: Check whether trivy-operator Helm release exists in trivy-system
+  ansible.builtin.command:
+    argv:
+      - helm
+      - status
+      - trivy-operator
+      - -n
+      - trivy-system
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  register: noble_trivy_helm_release_status
+  failed_when: false
+  changed_when: false
+
+- name: Remove trivy-system namespace when Helm release is absent (orphan SSA / kubectl vs Ansible Helm)
+  ansible.builtin.command:
+    argv:
+      - kubectl
+      - delete
+      - namespace
+      - trivy-system
+      - --ignore-not-found=true
+      - --wait=true
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  when: noble_trivy_helm_release_status.rc != 0
+  register: noble_trivy_ns_reset
+  changed_when: "'deleted' in (noble_trivy_ns_reset.stdout | default(''))"
+
+- name: Remove orphan Trivy cluster-scoped resources when Helm release is absent
+  ansible.builtin.shell: |
+    set -euo pipefail
+    # Prefer label selector (matches chart); then explicit names for objects Argo may have created without labels.
+    kubectl delete clusterrolebinding -l app.kubernetes.io/instance=trivy-operator --ignore-not-found=true --wait=true 2>/dev/null || true
+    kubectl delete clusterrolebinding trivy-operator --ignore-not-found=true --wait=true
+    kubectl delete clusterrole -l app.kubernetes.io/instance=trivy-operator --ignore-not-found=true --wait=true 2>/dev/null || true
+    kubectl delete clusterrole trivy-operator aggregate-config-audit-reports-view aggregate-exposed-secret-reports-view aggregate-vulnerability-reports-view --ignore-not-found=true --wait=true
+    if kubectl api-resources --api-group=aquasecurity.github.io -o name 2>/dev/null | grep -q '^clustercompliancereports\.'; then
+      kubectl delete clustercompliancereports.aquasecurity.github.io -l app.kubernetes.io/instance=trivy-operator --ignore-not-found=true --wait=true 2>/dev/null || true
+      kubectl delete clustercompliancereports.aquasecurity.github.io k8s-cis-1.23 k8s-nsa-1.0 k8s-pss-baseline-0.1 k8s-pss-restricted-0.1 --ignore-not-found=true --wait=true 2>/dev/null || true
+    fi
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  when: noble_trivy_helm_release_status.rc != 0
+  register: noble_trivy_cluster_reset
+  changed_when: "'deleted' in (noble_trivy_cluster_reset.stdout | default(''))"
+
 - name: Apply trivy-system namespace (PSA)
  ansible.builtin.command:
    argv: