Enable cert-manager for admission webhook TLS in kube-prometheus-stack values.yaml to prevent Kyverno pre-hook Job failures during Argo sync. Update noble-platform.yaml to adjust Helm chart sources and maintain proper order for Kyverno and kube-prometheus-stack, ensuring correct resource management and deployment flow.

2026-03-28 02:25:59 -04:00
parent 1a3c8378d4
commit 90cd34c34f
2 changed files with 42 additions and 34 deletions
--- a/clusters/noble/apps/kube-prometheus-stack/values.yaml
+++ b/clusters/noble/apps/kube-prometheus-stack/values.yaml
@@ -16,6 +16,14 @@
 #
 # Grafana admin password: Secret `kube-prometheus-grafana` keys `admin-user` / `admin-password` unless you set grafana.adminPassword.

+# Use cert-manager for admission webhook TLS instead of Helm pre-hook Jobs (patch/create Secret).
+# Those Jobs are validated by Kyverno before `kyverno-svc` exists during a single Argo sync, which fails.
+# Requires cert-manager CRDs (bootstrap before this chart).
+prometheusOperator:
+  admissionWebhooks:
+    certManager:
+      enabled: true
+
 # --- Longhorn-backed persistence (default chart storage is emptyDir) ---
 alertmanager:
  alertmanagerSpec:
--- a/clusters/noble/bootstrap/argocd/apps/noble-platform.yaml
+++ b/clusters/noble/bootstrap/argocd/apps/noble-platform.yaml
@@ -1,8 +1,8 @@
 # Multi-source: native Helm (no Kustomize helmCharts → no **--enable-helm**). One Git source uses
 # **ref: values** (for **$values/...**) and **path** (Kustomize) together — see multiple_sources docs.
 #
-# UI: some Argo CD versions summarize multi-source apps oddly in the graph; the **Resource list**
-# still reflects the merged set. **ServerSideApply** avoids huge CRD client-side apply annotations.
+# Helm order: Kyverno before kube-prometheus so policy webhooks can resolve during sync; see
+# **kube-prometheus-stack/values.yaml** (cert-manager admission TLS — avoids Kyverno failing pre-hook Jobs).
 #
 # https://argo-cd.readthedocs.io/en/stable/user-guide/multiple_sources/
 apiVersion: argoproj.io/v1alpha1
@@ -15,30 +15,22 @@ metadata:
 spec:
  project: default
  sources:
-    - repoURL: https://prometheus-community.github.io/helm-charts
-      chart: kube-prometheus-stack
-      targetRevision: "82.15.1"
+    - repoURL: https://kyverno.github.io/kyverno/
+      chart: kyverno
+      targetRevision: "3.7.1"
      helm:
-        releaseName: kube-prometheus
-        namespace: monitoring
+        releaseName: kyverno
+        namespace: kyverno
        valueFiles:
-          - $values/clusters/noble/apps/kube-prometheus-stack/values.yaml
-    - repoURL: https://grafana.github.io/helm-charts
-      chart: loki
-      targetRevision: "6.55.0"
+          - $values/clusters/noble/apps/kyverno/values.yaml
+    - repoURL: https://kyverno.github.io/kyverno/
+      chart: kyverno-policies
+      targetRevision: "3.7.1"
      helm:
-        releaseName: loki
-        namespace: loki
+        releaseName: kyverno-policies
+        namespace: kyverno
        valueFiles:
-          - $values/clusters/noble/apps/loki/values.yaml
-    - repoURL: https://fluent.github.io/helm-charts
-      chart: fluent-bit
-      targetRevision: "0.56.0"
-      helm:
-        releaseName: fluent-bit
-        namespace: logging
-        valueFiles:
-          - $values/clusters/noble/apps/fluent-bit/values.yaml
+          - $values/clusters/noble/apps/kyverno/policies-values.yaml
    - repoURL: https://bitnami-labs.github.io/sealed-secrets
      chart: sealed-secrets
      targetRevision: "2.18.4"
@@ -63,22 +55,30 @@ spec:
        namespace: vault
        valueFiles:
          - $values/clusters/noble/apps/vault/values.yaml
-    - repoURL: https://kyverno.github.io/kyverno/
-      chart: kyverno
-      targetRevision: "3.7.1"
+    - repoURL: https://prometheus-community.github.io/helm-charts
+      chart: kube-prometheus-stack
+      targetRevision: "82.15.1"
      helm:
-        releaseName: kyverno
-        namespace: kyverno
+        releaseName: kube-prometheus
+        namespace: monitoring
        valueFiles:
-          - $values/clusters/noble/apps/kyverno/values.yaml
-    - repoURL: https://kyverno.github.io/kyverno/
-      chart: kyverno-policies
-      targetRevision: "3.7.1"
+          - $values/clusters/noble/apps/kube-prometheus-stack/values.yaml
+    - repoURL: https://grafana.github.io/helm-charts
+      chart: loki
+      targetRevision: "6.55.0"
      helm:
-        releaseName: kyverno-policies
-        namespace: kyverno
+        releaseName: loki
+        namespace: loki
        valueFiles:
-          - $values/clusters/noble/apps/kyverno/policies-values.yaml
+          - $values/clusters/noble/apps/loki/values.yaml
+    - repoURL: https://fluent.github.io/helm-charts
+      chart: fluent-bit
+      targetRevision: "0.56.0"
+      helm:
+        releaseName: fluent-bit
+        namespace: logging
+        valueFiles:
+          - $values/clusters/noble/apps/fluent-bit/values.yaml
    - repoURL: https://kubernetes-sigs.github.io/headlamp/
      chart: headlamp
      targetRevision: "0.40.1"