Refactor Argo CD application management by removing noble-kyverno and noble-platform configurations, transitioning to Ansible-driven installations. Update documentation to clarify the optional nature of app-of-apps and the role of kustomization.yaml as an empty resource holder. Ensure users are informed about the need to delete stale Applications when migrating from previous configurations.

clusters/noble/bootstrap/argocd/apps/README.md

@@ -1,11 +1,17 @@
-# Argo CD — app-of-apps children
+# Argo CD — app-of-apps children (optional GitOps only)
 
-**`noble-root`** syncs this directory. Order matters for **Kyverno** webhooks:
+**Core platform is Ansible-managed** — see repository **`ansible/README.md`** and **`ansible/playbooks/noble.yml`**.
 
-| Application | Sync wave | Role |
-|-------------|-----------|------|
-| **`noble-kyverno`** | `0` | Kyverno operator only |
-| **`noble-kyverno-policies`** | `1` | `kyverno-policies` chart (after operator) |
-| **`noble-platform`** | `2` | Sealed Secrets, ESO, Vault, observability, Headlamp + Git/Kustomize |
+This directory’s **`kustomization.yaml`** has **`resources: []`** so **`noble-root`** (if applied) does not reconcile Helm charts or cluster add-ons. **Add `Application` manifests here only** for apps you want Argo to manage (for example, sample workloads or third-party charts not covered by the bootstrap playbook).
 
-**`noble-platform`** uses **Helm** `sources` + Git **`ref`/`path`**; **`clusters/noble/apps/kustomization.yaml`** is plain resources (no **`helmCharts`**).
+| Previous (removed) | Now |
+|--------------------|-----|
+| **`noble-kyverno`**, **`noble-kyverno-policies`**, **`noble-platform`** | Installed by Ansible roles **`noble_kyverno`**, **`noble_kyverno_policies`**, **`noble_platform`** |
+
+If you previously synced **`noble-root`** with the old child manifests, delete stale Applications on the cluster:
+
+```bash
+kubectl delete application -n argocd noble-platform noble-kyverno noble-kyverno-policies --ignore-not-found
+```
+
+Then re-apply **`root-application.yaml`** so Argo matches this repo.

clusters/noble/bootstrap/argocd/apps/kustomization.yaml

@@ -0,0 +1,6 @@
+# Intentionally empty: core platform (CNI, ingress, storage, observability, policy, etc.) is
+# installed by **ansible/playbooks/noble.yml** — not by Argo CD. Add optional Application
+# manifests here only for workloads you want GitOps-managed.
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: []

clusters/noble/bootstrap/argocd/apps/noble-kyverno-policies.yaml

@@ -1,40 +0,0 @@
-# Kyverno policy chart — after operator is up (sync wave 1). Retries help if webhooks were still starting.
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: noble-kyverno-policies
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io/background
-spec:
-  project: default
-  sources:
-    - repoURL: https://kyverno.github.io/kyverno/
-      chart: kyverno-policies
-      targetRevision: "3.7.1"
-      helm:
-        releaseName: kyverno-policies
-        namespace: kyverno
-        valueFiles:
-          - $values/clusters/noble/apps/kyverno/policies-values.yaml
-    - repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git
-      targetRevision: HEAD
-      ref: values
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: default
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
-      - ServerSideApply=true
-    retry:
-      limit: 10
-      backoff:
-        duration: 15s
-        factor: 2
-        maxDuration: 5m

clusters/noble/bootstrap/argocd/apps/noble-kyverno.yaml

@@ -1,35 +0,0 @@
-# Kyverno operator only — must apply before policies and before workloads that hit webhooks.
-# Sync wave 0 under **noble-root** (lower number runs first).
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: noble-kyverno
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "0"
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io/background
-spec:
-  project: default
-  sources:
-    - repoURL: https://kyverno.github.io/kyverno/
-      chart: kyverno
-      targetRevision: "3.7.1"
-      helm:
-        releaseName: kyverno
-        namespace: kyverno
-        valueFiles:
-          - $values/clusters/noble/apps/kyverno/values.yaml
-    - repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git
-      targetRevision: HEAD
-      ref: values
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: default
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
-      - ServerSideApply=true

clusters/noble/bootstrap/argocd/apps/noble-platform.yaml

@@ -1,91 +0,0 @@
-# Platform workloads (no Kyverno — those are **noble-kyverno** + **noble-kyverno-policies**). Sync wave 2.
-#
-# https://argo-cd.readthedocs.io/en/stable/user-guide/multiple_sources/
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: noble-platform
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "2"
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io/background
-spec:
-  project: default
-  sources:
-    - repoURL: https://bitnami-labs.github.io/sealed-secrets
-      chart: sealed-secrets
-      targetRevision: "2.18.4"
-      helm:
-        releaseName: sealed-secrets
-        namespace: sealed-secrets
-        valueFiles:
-          - $values/clusters/noble/apps/sealed-secrets/values.yaml
-    - repoURL: https://charts.external-secrets.io
-      chart: external-secrets
-      targetRevision: "2.2.0"
-      helm:
-        releaseName: external-secrets
-        namespace: external-secrets
-        valueFiles:
-          - $values/clusters/noble/apps/external-secrets/values.yaml
-    - repoURL: https://helm.releases.hashicorp.com
-      chart: vault
-      targetRevision: "0.32.0"
-      helm:
-        releaseName: vault
-        namespace: vault
-        valueFiles:
-          - $values/clusters/noble/apps/vault/values.yaml
-    - repoURL: https://prometheus-community.github.io/helm-charts
-      chart: kube-prometheus-stack
-      targetRevision: "82.15.1"
-      helm:
-        releaseName: kube-prometheus
-        namespace: monitoring
-        valueFiles:
-          - $values/clusters/noble/apps/kube-prometheus-stack/values.yaml
-    - repoURL: https://grafana.github.io/helm-charts
-      chart: loki
-      targetRevision: "6.55.0"
-      helm:
-        releaseName: loki
-        namespace: loki
-        valueFiles:
-          - $values/clusters/noble/apps/loki/values.yaml
-    - repoURL: https://fluent.github.io/helm-charts
-      chart: fluent-bit
-      targetRevision: "0.56.0"
-      helm:
-        releaseName: fluent-bit
-        namespace: logging
-        valueFiles:
-          - $values/clusters/noble/apps/fluent-bit/values.yaml
-    - repoURL: https://kubernetes-sigs.github.io/headlamp/
-      chart: headlamp
-      targetRevision: "0.40.1"
-      helm:
-        releaseName: headlamp
-        namespace: headlamp
-        valueFiles:
-          - $values/clusters/noble/apps/headlamp/values.yaml
-    - repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git
-      targetRevision: HEAD
-      ref: values
-      path: clusters/noble/apps
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: default
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
-      - ServerSideApply=true
-    retry:
-      limit: 10
-      backoff:
-        duration: 15s
-        factor: 2
-        maxDuration: 5m