diff --git a/clusters/noble/apps/kube-prometheus-stack/values.yaml b/clusters/noble/apps/kube-prometheus-stack/values.yaml
index 0c9d507..de02707 100644
--- a/clusters/noble/apps/kube-prometheus-stack/values.yaml
+++ b/clusters/noble/apps/kube-prometheus-stack/values.yaml
@@ -16,6 +16,14 @@
 #
 # Grafana admin password: Secret `kube-prometheus-grafana` keys `admin-user` / `admin-password` unless you set grafana.adminPassword.
 
+# Use cert-manager for admission webhook TLS instead of Helm pre-hook Jobs (patch/create Secret).
+# Those Jobs are validated by Kyverno before `kyverno-svc` exists during a single Argo sync, which fails.
+# Requires cert-manager CRDs (bootstrap before this chart).
+prometheusOperator:
+  admissionWebhooks:
+    certManager:
+      enabled: true
+
 # --- Longhorn-backed persistence (default chart storage is emptyDir) ---
 alertmanager:
   alertmanagerSpec:
diff --git a/clusters/noble/bootstrap/argocd/apps/noble-platform.yaml b/clusters/noble/bootstrap/argocd/apps/noble-platform.yaml
index 65f9b8c..23f3793 100644
--- a/clusters/noble/bootstrap/argocd/apps/noble-platform.yaml
+++ b/clusters/noble/bootstrap/argocd/apps/noble-platform.yaml
@@ -1,8 +1,8 @@
 # Multi-source: native Helm (no Kustomize helmCharts → no **--enable-helm**). One Git source uses
 # **ref: values** (for **$values/...**) and **path** (Kustomize) together — see multiple_sources docs.
 #
-# UI: some Argo CD versions summarize multi-source apps oddly in the graph; the **Resource list**
-# still reflects the merged set. **ServerSideApply** avoids huge CRD client-side apply annotations.
+# Helm order: Kyverno before kube-prometheus so policy webhooks can resolve during sync; see
+# **kube-prometheus-stack/values.yaml** (cert-manager admission TLS — avoids Kyverno failing pre-hook Jobs).
 #
 # https://argo-cd.readthedocs.io/en/stable/user-guide/multiple_sources/
 apiVersion: argoproj.io/v1alpha1
@@ -15,30 +15,22 @@ metadata:
 spec:
   project: default
   sources:
-    - repoURL: https://prometheus-community.github.io/helm-charts
-      chart: kube-prometheus-stack
-      targetRevision: "82.15.1"
+    - repoURL: https://kyverno.github.io/kyverno/
+      chart: kyverno
+      targetRevision: "3.7.1"
       helm:
-        releaseName: kube-prometheus
-        namespace: monitoring
+        releaseName: kyverno
+        namespace: kyverno
         valueFiles:
-          - $values/clusters/noble/apps/kube-prometheus-stack/values.yaml
-    - repoURL: https://grafana.github.io/helm-charts
-      chart: loki
-      targetRevision: "6.55.0"
+          - $values/clusters/noble/apps/kyverno/values.yaml
+    - repoURL: https://kyverno.github.io/kyverno/
+      chart: kyverno-policies
+      targetRevision: "3.7.1"
       helm:
-        releaseName: loki
-        namespace: loki
+        releaseName: kyverno-policies
+        namespace: kyverno
         valueFiles:
-          - $values/clusters/noble/apps/loki/values.yaml
-    - repoURL: https://fluent.github.io/helm-charts
-      chart: fluent-bit
-      targetRevision: "0.56.0"
-      helm:
-        releaseName: fluent-bit
-        namespace: logging
-        valueFiles:
-          - $values/clusters/noble/apps/fluent-bit/values.yaml
+          - $values/clusters/noble/apps/kyverno/policies-values.yaml
     - repoURL: https://bitnami-labs.github.io/sealed-secrets
       chart: sealed-secrets
       targetRevision: "2.18.4"
@@ -63,22 +55,30 @@ spec:
         namespace: vault
         valueFiles:
           - $values/clusters/noble/apps/vault/values.yaml
-    - repoURL: https://kyverno.github.io/kyverno/
-      chart: kyverno
-      targetRevision: "3.7.1"
+    - repoURL: https://prometheus-community.github.io/helm-charts
+      chart: kube-prometheus-stack
+      targetRevision: "82.15.1"
       helm:
-        releaseName: kyverno
-        namespace: kyverno
+        releaseName: kube-prometheus
+        namespace: monitoring
         valueFiles:
-          - $values/clusters/noble/apps/kyverno/values.yaml
-    - repoURL: https://kyverno.github.io/kyverno/
-      chart: kyverno-policies
-      targetRevision: "3.7.1"
+          - $values/clusters/noble/apps/kube-prometheus-stack/values.yaml
+    - repoURL: https://grafana.github.io/helm-charts
+      chart: loki
+      targetRevision: "6.55.0"
       helm:
-        releaseName: kyverno-policies
-        namespace: kyverno
+        releaseName: loki
+        namespace: loki
         valueFiles:
-          - $values/clusters/noble/apps/kyverno/policies-values.yaml
+          - $values/clusters/noble/apps/loki/values.yaml
+    - repoURL: https://fluent.github.io/helm-charts
+      chart: fluent-bit
+      targetRevision: "0.56.0"
+      helm:
+        releaseName: fluent-bit
+        namespace: logging
+        valueFiles:
+          - $values/clusters/noble/apps/fluent-bit/values.yaml
     - repoURL: https://kubernetes-sigs.github.io/headlamp/
       chart: headlamp
       targetRevision: "0.40.1"