Refactor noble.yml playbook to apply Argo CD Application manifests after all Helm roles, ensuring proper resource ownership and avoiding SSA conflicts. Update related documentation to reflect the new execution order and clarify the role of Argo CD in the deployment process.

ansible/roles/noble_trivy/tasks/main.yml

@@ -1,4 +1,55 @@
 ---
+# Argo CD (Helm source + SSA) or raw kubectl can leave Trivy objects without **meta.helm.sh/** ownership.
+# Namespace-scoped resources go away when **trivy-system** is deleted; **ClusterRole** / **ClusterRoleBinding** /
+# **ClusterComplianceReport** do not. If there is no Helm release **trivy-operator**, reset namespace + cluster scope
+# so **helm upgrade --install** can adopt cleanly.
+- name: Check whether trivy-operator Helm release exists in trivy-system
+  ansible.builtin.command:
+    argv:
+      - helm
+      - status
+      - trivy-operator
+      - -n
+      - trivy-system
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  register: noble_trivy_helm_release_status
+  failed_when: false
+  changed_when: false
+
+- name: Remove trivy-system namespace when Helm release is absent (orphan SSA / kubectl vs Ansible Helm)
+  ansible.builtin.command:
+    argv:
+      - kubectl
+      - delete
+      - namespace
+      - trivy-system
+      - --ignore-not-found=true
+      - --wait=true
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  when: noble_trivy_helm_release_status.rc != 0
+  register: noble_trivy_ns_reset
+  changed_when: "'deleted' in (noble_trivy_ns_reset.stdout | default(''))"
+
+- name: Remove orphan Trivy cluster-scoped resources when Helm release is absent
+  ansible.builtin.shell: |
+    set -euo pipefail
+    # Prefer label selector (matches chart); then explicit names for objects Argo may have created without labels.
+    kubectl delete clusterrolebinding -l app.kubernetes.io/instance=trivy-operator --ignore-not-found=true --wait=true 2>/dev/null || true
+    kubectl delete clusterrolebinding trivy-operator --ignore-not-found=true --wait=true
+    kubectl delete clusterrole -l app.kubernetes.io/instance=trivy-operator --ignore-not-found=true --wait=true 2>/dev/null || true
+    kubectl delete clusterrole trivy-operator aggregate-config-audit-reports-view aggregate-exposed-secret-reports-view aggregate-vulnerability-reports-view --ignore-not-found=true --wait=true
+    if kubectl api-resources --api-group=aquasecurity.github.io -o name 2>/dev/null | grep -q '^clustercompliancereports\.'; then
+      kubectl delete clustercompliancereports.aquasecurity.github.io -l app.kubernetes.io/instance=trivy-operator --ignore-not-found=true --wait=true 2>/dev/null || true
+      kubectl delete clustercompliancereports.aquasecurity.github.io k8s-cis-1.23 k8s-nsa-1.0 k8s-pss-baseline-0.1 k8s-pss-restricted-0.1 --ignore-not-found=true --wait=true 2>/dev/null || true
+    fi
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  when: noble_trivy_helm_release_status.rc != 0
+  register: noble_trivy_cluster_reset
+  changed_when: "'deleted' in (noble_trivy_cluster_reset.stdout | default(''))"
+
 - name: Apply trivy-system namespace (PSA)
   ansible.builtin.command:
     argv: