Update documentation and playbook to clarify Trivy Operator installation via Argo CD, removing direct Ansible role references. Adjust README and related files to reflect the new deployment order and ensure proper resource ownership, enhancing overall clarity for users.

2026-05-14 17:04:25 -04:00
parent c3c89b8f0a
commit a5869c242a
11 changed files with 25 additions and 20 deletions
--- a/ansible/README.md
+++ b/ansible/README.md
@@ -2,7 +2,7 @@

 **Narrative walkthrough (Proxmox → Talos → platform → Argo):** [`docs/ansible-getting-started.md`](../docs/ansible-getting-started.md).

-Automates [`talos/CLUSTER-BUILD.md`](../talos/CLUSTER-BUILD.md): optional **Talos Phase A** (genconfig → apply → bootstrap → kubeconfig), then **Phase B+** (CNI → add-ons → ingress → Argo CD → Kyverno → observability → Trivy, etc.). **Argo CD** does not reconcile core charts — optional GitOps starts from an empty [`clusters/noble/apps/kustomization.yaml`](../clusters/noble/apps/kustomization.yaml).
+Automates [`talos/CLUSTER-BUILD.md`](../talos/CLUSTER-BUILD.md): optional **Talos Phase A** (genconfig → apply → bootstrap → kubeconfig), then **Phase B+** (CNI → add-ons → ingress → Argo CD → Kyverno → observability, etc.). **Trivy Operator** is installed via Argo (**`noble-trivy-operator`** app-of-apps), not **`noble.yml`**. **Argo CD** does not reconcile core charts — optional GitOps starts from an empty [`clusters/noble/apps/kustomization.yaml`](../clusters/noble/apps/kustomization.yaml).

 ## Order of operations

@@ -75,7 +75,6 @@ Override with `-e` when needed, e.g. **`-e noble_talos_skip_bootstrap=true`** if

 ```bash
 ansible-playbook playbooks/noble.yml --tags cilium,metallb
-ansible-playbook playbooks/noble.yml --tags trivy
 ansible-playbook playbooks/noble.yml --skip-tags newt
 ansible-playbook playbooks/noble.yml --tags velero -e noble_velero_install=true -e noble_velero_s3_bucket=... -e noble_velero_s3_url=...
 ansible-playbook playbooks/noble.yml --tags authentik -e noble_authentik_install=true
@@ -92,7 +91,7 @@ ansible-playbook playbooks/noble.yml --tags authentik -e noble_authentik_install
 |------|----------|
 | `talos_phase_a` | Talos genconfig, apply-config, bootstrap, kubeconfig |
 | `helm_repos` | `helm repo add` / `update` |
-| `noble_*` | Cilium, CSI Volume Snapshot CRDs + controller, metrics-server, Longhorn, MetalLB (20m Helm wait), kube-vip, Traefik, cert-manager, Newt, Argo CD, Kyverno, platform stack, **Authentik** (optional OIDC), **Trivy Operator**, Velero (optional) |
+| `noble_*` | Cilium, CSI Volume Snapshot CRDs + controller, metrics-server, Longhorn, MetalLB (20m Helm wait), kube-vip, Traefik, cert-manager, Newt, Argo CD, Kyverno, platform stack, **Authentik** (optional OIDC), Velero (optional). **Trivy Operator:** Argo leaf **`noble-trivy-operator`** (see `clusters/noble/bootstrap/argocd/app-of-apps/`); role **`noble_trivy`** is not invoked by **`noble.yml`**. |
 | `noble_landing_urls` | Writes **`ansible/output/noble-lab-ui-urls.md`** — URLs, service names, and (optional) Argo/Grafana passwords from Secrets |
 | `noble_post_deploy` | Post-install reminders |
 | `talos_bootstrap` | Genconfig-only (used by older playbook) |
--- a/ansible/playbooks/noble.yml
+++ b/ansible/playbooks/noble.yml
@@ -4,8 +4,9 @@
 # Run from repo **ansible/** directory:  ansible-playbook playbooks/noble.yml
 #
 # Tags: repos, cilium, csi_snapshot, metrics, longhorn, metallb, kube_vip, traefik, cert_manager, newt,
-#       argocd, kyverno, kyverno_policies, platform, authentik, trivy, velero, landing, all (default)
+#       argocd, kyverno, kyverno_policies, platform, authentik, velero, landing, all (default)
 # Argo leaf **Application** CRs are applied in play **tasks:** after **noble_velero** (Ansible Helm first, then GitOps).
+# Trivy Operator is **not** installed here — sync **noble-trivy-operator** from Argo (app-of-apps) after deploy.
 - name: Noble cluster — platform stack (Ansible-managed)
  hosts: localhost
  connection: local
@@ -231,13 +232,11 @@
      tags: [platform, observability, apps]
    - role: noble_authentik
      tags: [authentik, sso, oauth, oidc]
-    - role: noble_trivy
-      tags: [trivy, security, scanning]
    - role: noble_velero
      tags: [velero, backups]

  tasks:
-    # Leaf Application CRs must exist only after all Ansible Helm in this play (platform, authentik, trivy, …)
+    # Leaf Application CRs must exist only after all Ansible Helm in this play (platform, authentik, velero, …)
    # so argocd-controller does not SSA resources before Helm owns them; then Argo can take over (manual → auto).
    - name: Apply Argo CD root / bootstrap / leaf Application manifests (post–Ansible Helm)
      ansible.builtin.include_role:
--- a/ansible/roles/helm_repos/defaults/main.yml
+++ b/ansible/roles/helm_repos/defaults/main.yml
@@ -14,6 +14,5 @@ noble_helm_repos:
  - { name: headlamp, url: "https://kubernetes-sigs.github.io/headlamp/" }
  - { name: kyverno, url: "https://kyverno.github.io/kyverno/" }
  - { name: vmware-tanzu, url: "https://vmware-tanzu.github.io/helm-charts" }
-  - { name: aqua, url: "https://aquasecurity.github.io/helm-charts/" }
  - { name: goauthentik, url: "https://charts.goauthentik.io" }
  - { name: oauth2-proxy, url: "https://oauth2-proxy.github.io/manifests" }
--- a/ansible/roles/noble_argocd/tasks/applications_post_platform.yml
+++ b/ansible/roles/noble_argocd/tasks/applications_post_platform.yml
@@ -1,7 +1,7 @@
 ---
-# Run from **ansible/playbooks/noble.yml** *after* roles **noble_platform**, **noble_authentik**, **noble_trivy**,
-# **noble_velero** (see play **tasks:**). Leaf **Application** CRs must not be reconciled before Ansible Helm
-# finishes, or **argocd-controller** can SSA resources without Helm release metadata (e.g. Trivy ServiceAccount).
+# Run from **ansible/playbooks/noble.yml** *after* roles **noble_platform**, **noble_authentik**, **noble_velero**
+# (see play **tasks:**). Leaf **Application** CRs must not be reconciled before Ansible Helm finishes, or
+# **argocd-controller** can SSA resources without Helm release metadata (e.g. chart-owned ServiceAccounts).
 - name: Apply Argo CD root Application (app-of-apps)
  ansible.builtin.command:
    argv:
--- a/ansible/roles/noble_post_deploy/tasks/main.yml
+++ b/ansible/roles/noble_post_deploy/tasks/main.yml
@@ -9,7 +9,7 @@
 - name: Argo CD optional root Application (empty app-of-apps)
  ansible.builtin.debug:
    msg: >-
-      App-of-apps: at the **end** of **noble.yml** (after **noble_platform**, **noble_authentik**, **noble_trivy**,
+      App-of-apps: at the **end** of **noble.yml** (after **noble_platform**, **noble_authentik**,
      **noble_velero**), **noble_argocd** `applications_post_platform.yml` runs: root-application.yaml when
      noble_argocd_apply_root_application is true; bootstrap-root + **kubectl apply -k argocd/app-of-apps**
      when noble_argocd_apply_bootstrap_root_application is true (inventory/group_vars/all.yml).