Refactor noble.yml playbook to apply Argo CD Application manifests after all Helm roles, ensuring proper resource ownership and avoiding SSA conflicts. Update related documentation to reflect the new execution order and clarify the role of Argo CD in the deployment process.

2026-05-14 16:46:45 -04:00
parent 1a50599cb4
commit 1e6d84f0f3
8 changed files with 82 additions and 21 deletions
--- a/ansible/roles/noble_argocd/tasks/applications_post_platform.yml
+++ b/ansible/roles/noble_argocd/tasks/applications_post_platform.yml
@@ -1,6 +1,7 @@
 ---
-# Run after **noble_platform** Helm + `kubectl apply -k clusters/noble/bootstrap` so leaf **Application**
-# CRs are not reconciled by Argo before **helm upgrade** (avoids SSA conflicts with **argocd-controller**).
+# Run from **ansible/playbooks/noble.yml** *after* roles **noble_platform**, **noble_authentik**, **noble_trivy**,
+# **noble_velero** (see play **tasks:**). Leaf **Application** CRs must not be reconciled before Ansible Helm
+# finishes, or **argocd-controller** can SSA resources without Helm release metadata (e.g. Trivy ServiceAccount).
 - name: Apply Argo CD root Application (app-of-apps)
  ansible.builtin.command:
    argv: