Refactor Argo CD application management by removing noble-kyverno and noble-platform configurations, transitioning to Ansible-driven installations. Update documentation to clarify the optional nature of app-of-apps and the role of kustomization.yaml as an empty resource holder. Ensure users are informed about the need to delete stale Applications when migrating from previous configurations.

clusters/noble/apps/kustomization.yaml

@@ -1,5 +1,5 @@
-# Plain Kustomize only (namespaces + extra YAML). Helm charts are **Application** sources in
-# **bootstrap/argocd/apps/noble-platform.yaml** — avoids **kustomize --enable-helm** on repo-server.
+# Plain Kustomize only (namespaces + extra YAML). Helm installs are driven by **ansible/playbooks/noble.yml**
+# (role **noble_platform**) — avoids **kustomize --enable-helm** in-repo.
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 

clusters/noble/bootstrap/argocd/README.md

@@ -39,17 +39,21 @@ Change the password in the UI or via `argocd account update-password`.
 
 Use **Settings → Repositories** in the UI, or `argocd repo add` / a `Secret` of type `repository`.
 
-## 4. App-of-apps (optional)
+## 4. App-of-apps (optional GitOps only)
+
+Bootstrap **platform** workloads (CNI, ingress, cert-manager, Kyverno, observability, Vault, etc.) are installed by
+**`ansible/playbooks/noble.yml`** — not by Argo. **`apps/kustomization.yaml`** is empty by default.
 
 1. Edit **`root-application.yaml`**: set **`repoURL`** and **`targetRevision`** to this repository. The **`resources-finalizer.argocd.argoproj.io/background`** finalizer uses Argo’s path-qualified form so **`kubectl apply`** does not warn about finalizer names.
-2. Commit **`Application`** manifests under **`apps/`** (see **`apps/README.md`**).
+2. When you want Argo to manage specific apps, add **`Application`** manifests under **`apps/`** (see **`apps/README.md`**).
 3. Apply the root:
 
    ```bash
    kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml
    ```
 
-**`apps/noble-platform.yaml`** uses **multiple sources** (Helm repos + Git **`ref`/`path`**); **`clusters/noble/apps/kustomization.yaml`** is plain resources only — chart installs are **Helm** sources, not Kustomize **helmCharts**.
+If you migrated from GitOps-managed **`noble-platform`** / **`noble-kyverno`**, delete stale **`Application`** objects on
+the cluster (see **`apps/README.md`**) then re-apply the root.
 
 ## Versions
 

clusters/noble/bootstrap/argocd/apps/README.md

@@ -1,11 +1,17 @@
-# Argo CD — app-of-apps children
+# Argo CD — app-of-apps children (optional GitOps only)
 
-**`noble-root`** syncs this directory. Order matters for **Kyverno** webhooks:
+**Core platform is Ansible-managed** — see repository **`ansible/README.md`** and **`ansible/playbooks/noble.yml`**.
 
-| Application | Sync wave | Role |
-|-------------|-----------|------|
-| **`noble-kyverno`** | `0` | Kyverno operator only |
-| **`noble-kyverno-policies`** | `1` | `kyverno-policies` chart (after operator) |
-| **`noble-platform`** | `2` | Sealed Secrets, ESO, Vault, observability, Headlamp + Git/Kustomize |
+This directory’s **`kustomization.yaml`** has **`resources: []`** so **`noble-root`** (if applied) does not reconcile Helm charts or cluster add-ons. **Add `Application` manifests here only** for apps you want Argo to manage (for example, sample workloads or third-party charts not covered by the bootstrap playbook).
 
-**`noble-platform`** uses **Helm** `sources` + Git **`ref`/`path`**; **`clusters/noble/apps/kustomization.yaml`** is plain resources (no **`helmCharts`**).
+| Previous (removed) | Now |
+|--------------------|-----|
+| **`noble-kyverno`**, **`noble-kyverno-policies`**, **`noble-platform`** | Installed by Ansible roles **`noble_kyverno`**, **`noble_kyverno_policies`**, **`noble_platform`** |
+
+If you previously synced **`noble-root`** with the old child manifests, delete stale Applications on the cluster:
+
+```bash
+kubectl delete application -n argocd noble-platform noble-kyverno noble-kyverno-policies --ignore-not-found
+```
+
+Then re-apply **`root-application.yaml`** so Argo matches this repo.

clusters/noble/bootstrap/argocd/apps/kustomization.yaml

@@ -0,0 +1,6 @@
+# Intentionally empty: core platform (CNI, ingress, storage, observability, policy, etc.) is
+# installed by **ansible/playbooks/noble.yml** — not by Argo CD. Add optional Application
+# manifests here only for workloads you want GitOps-managed.
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: []

clusters/noble/bootstrap/argocd/apps/noble-kyverno-policies.yaml

@@ -1,40 +0,0 @@
-# Kyverno policy chart — after operator is up (sync wave 1). Retries help if webhooks were still starting.
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: noble-kyverno-policies
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io/background
-spec:
-  project: default
-  sources:
-    - repoURL: https://kyverno.github.io/kyverno/
-      chart: kyverno-policies
-      targetRevision: "3.7.1"
-      helm:
-        releaseName: kyverno-policies
-        namespace: kyverno
-        valueFiles:
-          - $values/clusters/noble/apps/kyverno/policies-values.yaml
-    - repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git
-      targetRevision: HEAD
-      ref: values
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: default
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
-      - ServerSideApply=true
-    retry:
-      limit: 10
-      backoff:
-        duration: 15s
-        factor: 2
-        maxDuration: 5m

clusters/noble/bootstrap/argocd/apps/noble-kyverno.yaml

@@ -1,35 +0,0 @@
-# Kyverno operator only — must apply before policies and before workloads that hit webhooks.
-# Sync wave 0 under **noble-root** (lower number runs first).
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: noble-kyverno
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "0"
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io/background
-spec:
-  project: default
-  sources:
-    - repoURL: https://kyverno.github.io/kyverno/
-      chart: kyverno
-      targetRevision: "3.7.1"
-      helm:
-        releaseName: kyverno
-        namespace: kyverno
-        valueFiles:
-          - $values/clusters/noble/apps/kyverno/values.yaml
-    - repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git
-      targetRevision: HEAD
-      ref: values
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: default
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
-      - ServerSideApply=true

clusters/noble/bootstrap/argocd/apps/noble-platform.yaml

@@ -1,91 +0,0 @@
-# Platform workloads (no Kyverno — those are **noble-kyverno** + **noble-kyverno-policies**). Sync wave 2.
-#
-# https://argo-cd.readthedocs.io/en/stable/user-guide/multiple_sources/
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: noble-platform
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "2"
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io/background
-spec:
-  project: default
-  sources:
-    - repoURL: https://bitnami-labs.github.io/sealed-secrets
-      chart: sealed-secrets
-      targetRevision: "2.18.4"
-      helm:
-        releaseName: sealed-secrets
-        namespace: sealed-secrets
-        valueFiles:
-          - $values/clusters/noble/apps/sealed-secrets/values.yaml
-    - repoURL: https://charts.external-secrets.io
-      chart: external-secrets
-      targetRevision: "2.2.0"
-      helm:
-        releaseName: external-secrets
-        namespace: external-secrets
-        valueFiles:
-          - $values/clusters/noble/apps/external-secrets/values.yaml
-    - repoURL: https://helm.releases.hashicorp.com
-      chart: vault
-      targetRevision: "0.32.0"
-      helm:
-        releaseName: vault
-        namespace: vault
-        valueFiles:
-          - $values/clusters/noble/apps/vault/values.yaml
-    - repoURL: https://prometheus-community.github.io/helm-charts
-      chart: kube-prometheus-stack
-      targetRevision: "82.15.1"
-      helm:
-        releaseName: kube-prometheus
-        namespace: monitoring
-        valueFiles:
-          - $values/clusters/noble/apps/kube-prometheus-stack/values.yaml
-    - repoURL: https://grafana.github.io/helm-charts
-      chart: loki
-      targetRevision: "6.55.0"
-      helm:
-        releaseName: loki
-        namespace: loki
-        valueFiles:
-          - $values/clusters/noble/apps/loki/values.yaml
-    - repoURL: https://fluent.github.io/helm-charts
-      chart: fluent-bit
-      targetRevision: "0.56.0"
-      helm:
-        releaseName: fluent-bit
-        namespace: logging
-        valueFiles:
-          - $values/clusters/noble/apps/fluent-bit/values.yaml
-    - repoURL: https://kubernetes-sigs.github.io/headlamp/
-      chart: headlamp
-      targetRevision: "0.40.1"
-      helm:
-        releaseName: headlamp
-        namespace: headlamp
-        valueFiles:
-          - $values/clusters/noble/apps/headlamp/values.yaml
-    - repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git
-      targetRevision: HEAD
-      ref: values
-      path: clusters/noble/apps
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: default
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
-      - ServerSideApply=true
-    retry:
-      limit: 10
-      backoff:
-        duration: 15s
-        factor: 2
-        maxDuration: 5m

clusters/noble/bootstrap/argocd/root-application.yaml

@@ -1,11 +1,10 @@
-# App-of-apps root — apply after Argo CD is running.
+# App-of-apps root — apply after Argo CD is running (optional).
 #
 # 1. Set spec.source.repoURL (and targetRevision — **HEAD** tracks the remote default branch) to this repo.
 # 2. kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml
 #
-# Syncs **Application** YAMLs under **apps/** (**noble-kyverno**, **noble-kyverno-policies**, **noble-platform**). Cluster
-# workloads: **apps/noble-platform.yaml** (Helm chart sources + Git/Kustomize); **clusters/noble/apps/**
-# holds **values.yaml** and plain **kustomization.yaml** (resources only). Per-app READMEs stay the source of truth for versions.
+# **apps/kustomization.yaml** is intentionally empty: core platform is installed by **ansible/playbooks/noble.yml**,
+# not Argo. Add **Application** manifests under **apps/** only for optional GitOps-managed workloads.
 #
 apiVersion: argoproj.io/v1alpha1
 kind: Application