Add Trivy integration to noble cluster setup, including namespace and application configurations. Update README and playbook tags to reflect new security scanning capabilities. Enhance Longhorn and kube-prometheus-stack deployment reliability with increased timeout settings and retry mechanisms.

clusters/noble/bootstrap/kyverno/policies-values.yaml

@@ -9,6 +9,12 @@
 # outside baseline (see namespace PSA labels under clusters/noble/bootstrap/*/namespace.yaml)
 # plus core Kubernetes namespaces and every Ansible-managed app namespace on noble.
 #
+# failurePolicy **Ignore** (chart default is Fail): when the apiserver cannot reach Kyverno
+# within the webhook timeout (e.g. admission overloaded during Helm hooks / Longhorn
+# post-upgrade Job), Fail denies the request and breaks installs. Ignore allows the request
+# through on transport failure only — policy violations are still handled per
+# validationFailureAction when Kyverno responds.
+#
 # After widening excludes, Kyverno does not always prune old PolicyReport rows; refresh:
 #   kubectl delete clusterpolicyreport --all
 #   kubectl delete policyreport -A --all
@@ -22,10 +28,10 @@ policyType: ClusterPolicy
 podSecurityStandard: baseline
 podSecuritySeverity: medium
 validationFailureAction: Audit
-failurePolicy: Fail
+failurePolicy: Ignore
 validationAllowExistingViolations: true
 
-# All platform namespaces on noble (ansible/playbooks/noble.yml + clusters/noble/bootstrap).
+# All platform namespaces on noble (ansible/playbooks/noble.yml + clusters/noble/bootstrap). Includes **trivy-system**.
 x-kyverno-exclude-infra: &kyverno_exclude_infra
   any:
     - resources:
@@ -44,6 +50,7 @@ x-kyverno-exclude-infra: &kyverno_exclude_infra
           - monitoring
           - newt
           - traefik
+          - trivy-system
 
 policyExclude:
   disallow-capabilities: *kyverno_exclude_infra