Refactor noble.yml playbook to apply Argo CD Application manifests after all Helm roles, ensuring proper resource ownership and avoiding SSA conflicts. Update related documentation to reflect the new execution order and clarify the role of Argo CD in the deployment process.

clusters/noble/bootstrap/kustomization.yaml

@@ -1,7 +1,7 @@
 # Ansible **noble_platform**: `kubectl apply -k` this directory (namespaces + static YAML only).
-# Leaf Argo **Application** manifests live under **argocd/app-of-apps/** and are applied **after** Helm
-# by **noble_argocd** `applications_post_platform.yml` so **argocd-controller** does not SSA the chart
-# before **helm upgrade** runs.
+# Leaf Argo **Application** manifests live under **argocd/app-of-apps/** and are applied at the **end**
+# of **ansible/playbooks/noble.yml** (play **tasks:** → **noble_argocd** `applications_post_platform.yml`) so
+# **argocd-controller** does not SSA chart resources before **helm upgrade** (platform, authentik, trivy, …).
 #
 # **noble-bootstrap-root** syncs this same path for GitOps on namespaces/datasource/VolumeSnapshotClass.
 # Per-chart GitOps: each **noble-*** app under **argocd/app-of-apps/** (manual sync until you cut over).