gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update documentation and playbook to clarify Trivy Operator installation via Argo CD, removing direct Ansible role references. Adjust README and related files to reflect the new deployment order and ensure proper resource ownership, enhancing overall clarity for users.

Browse Source
This commit is contained in:
Nikholas Pcenicni
2026-05-14 17:04:25 -04:00
parent c3c89b8f0a
commit a5869c242a
11 changed files with 25 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
clusters/noble/bootstrap/argocd/README.md
View File

@@ -52,13 +52,13 @@ Use **Settings → Repositories** in the UI, or `argocd repo add` / a `Secret` o
## 4. App-of-apps (GitOps)
**Ansible** (`ansible/playbooks/noble.yml`) runs **`kubectl apply -k clusters/noble/bootstrap`** from **`noble_platform`**, then Helm for the platform stack, **then** **`noble_authentik`**, **`noble_trivy`**, **`noble_velero`**, and **only then** (play **`tasks:`**) **`noble_argocd`** `applications_post_platform.yml` applies **`root-application.yaml`**, **`bootstrap-root-application.yaml`**, and **`kubectl apply -k clusters/noble/bootstrap/argocd/app-of-apps`**. That order keeps **Ansible Helm first** and lets Argo **take ownership** when you sync or enable automation (no premature SSA vs Helm).
**Ansible** (`ansible/playbooks/noble.yml`) runs **`kubectl apply -k clusters/noble/bootstrap`** from **`noble_platform`**, then Helm for the platform stack, **then** **`noble_authentik`**, **`noble_velero`**, and **only then** (play **`tasks:`**) **`noble_argocd`** `applications_post_platform.yml` applies **`root-application.yaml`**, **`bootstrap-root-application.yaml`**, and **`kubectl apply -k clusters/noble/bootstrap/argocd/app-of-apps`**. **Trivy Operator** is **not** installed by Ansible; sync the **`noble-trivy-operator`** leaf app (or enable automation) after **`noble.yml`**. That order keeps **Ansible Helm first** and lets Argo **take ownership** when you sync or enable automation (no premature SSA vs Helm).
1. Edit **`root-application.yaml`** and **`bootstrap-root-application.yaml`**: set **`repoURL`** and **`targetRevision`**. The **`resources-finalizer.argocd.argoproj.io/background`** finalizer uses Argos path-qualified form so **`kubectl apply`** does not warn about finalizer names.
2. Optional add-on apps: add **`Application`** manifests under **`clusters/noble/apps/`** (see **`clusters/noble/apps/README.md`**).
3. **Bootstrap kustomize** (namespaces, datasource, etc.): **`noble-bootstrap-root`** syncs **`clusters/noble/bootstrap`** (no **`argocd/app-of-apps/`** in that kustomization). Leaf **`Application`** manifests live under **`argocd/app-of-apps/`**; Ansible applies that directory **after** all **`noble_*`** Helm roles in **`noble.yml`** (see §4) so Argo does not SSA charts before Helm. The root app uses **manual** sync; each leaf app is **manual** until you enable automation (see **§5**).
**`ansible/playbooks/noble.yml`**: roles **`noble_argocd`** (Argo Helm only), **`noble_platform`**, **`noble_authentik`**, **`noble_trivy`**, **`noble_velero`**, then play **`tasks`** run **`applications_post_platform`** when **`noble_argocd_apply_*`** flags are set in **`ansible/inventory/group_vars/all.yml`**.
**`ansible/playbooks/noble.yml`**: roles **`noble_argocd`** (Argo Helm only), **`noble_platform`**, **`noble_authentik`**, **`noble_velero`**, then play **`tasks`** run **`applications_post_platform`** when **`noble_argocd_apply_*`** flags are set in **`ansible/inventory/group_vars/all.yml`**. Trivy is deployed only via Argo (**`noble-trivy-operator`**).
```bash
kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml
@@ -67,9 +67,15 @@ Use **Settings → Repositories** in the UI, or `argocd repo add` / a `Secret` o
If you migrated from older GitOps **`Application`** names, delete stale **`Application`** objects on the cluster (see **`clusters/noble/apps/README.md`**) then re-apply the roots.
**Trivy (`noble-trivy-operator`):** If an older install left an orphan **`ServiceMonitor`** named **`trivy-operator`** in **`monitoring`** (missing `meta.helm.sh/release-*` annotations), Helm/Argo will refuse to adopt it. Delete once, then sync **`noble-trivy-operator`**:
```bash
kubectl delete servicemonitor trivy-operator -n monitoring --ignore-not-found
```
## 5. After Ansible: enable automated sync for **noble-bootstrap-root**
Do this only after **`ansible-playbook playbooks/noble.yml`** has finished successfully (including **`noble_platform`** / **`noble_authentik`** / **`noble_trivy`** Helm and the final **`applications_post_platform`** `kubectl apply` of leaf **Application** CRs). Until then, leave **manual** sync so Argo does not fight the playbook.
Do this only after **`ansible-playbook playbooks/noble.yml`** has finished successfully (including **`noble_platform`** / **`noble_authentik`** Helm, **`noble_velero`** if enabled, and the final **`applications_post_platform`** `kubectl apply` of leaf **Application** CRs). Until then, leave **manual** sync so Argo does not fight the playbook.
**Required steps**
@@ -99,7 +105,7 @@ Do this only after **`ansible-playbook playbooks/noble.yml`** has finished succe
5. Trigger a sync if the app does not go green immediately: **Sync** in the UI, or `argocd app sync noble-bootstrap-root`.
6. **Leaf apps** (`noble-cilium`, `noble-kube-prometheus`, … under **`app-of-apps/`**) stay **manual** until you turn on **AUTO-SYNC** (or sync once) **per app** after Ansible has finished. Until then they only register intent in Argo; **Ansible** still performs the Helm installs in **`noble_*`** roles. When you are ready for Argo to own a chart, enable sync for that leaf app and **remove** the corresponding **`helm upgrade`** task from Ansible so only one controller manages the release.
6. **Leaf apps** (`noble-cilium`, `noble-kube-prometheus`, … under **`app-of-apps/`**) stay **manual** until you turn on **AUTO-SYNC** (or sync once) **per app** after Ansible has finished. Until then they only register intent in Argo; **Ansible** still performs the Helm installs in **`noble_*`** roles for those charts (**Trivy Operator** is an exception — install/sync only via **`noble-trivy-operator`**). When you are ready for Argo to own a chart, enable sync for that leaf app and **remove** the corresponding **`helm upgrade`** task from Ansible so only one controller manages the release.
If **`helm upgrade`** failed with **conflict with `argocd-controller`**, a leaf app had already reconciled: apply the updated manifests (manual leaf sync), delete the conflicting **`Application`** with **`--cascade=false`** if needed, then re-run the playbook — or finish migration to Argo-only for that chart.

2
clusters/noble/bootstrap/argocd/app-of-apps/trivy-operator-application.yaml
View File

@@ -22,7 +22,7 @@ spec:
destination:
server: https://kubernetes.default.svc
namespace: trivy-system
# Manual sync: Ansible helm runs first; enable automation after cutover (see ../README.md §5).
# Manual sync after **noble.yml**: install Trivy via Argo only (not Ansible). Enable automation after cutover (../README.md §5).
syncPolicy:
syncOptions:
- CreateNamespace=true

2
clusters/noble/bootstrap/kustomization.yaml
View File

@@ -1,7 +1,7 @@
# Ansible **noble_platform**: `kubectl apply -k` this directory (namespaces + static YAML only).
# Leaf Argo **Application** manifests live under **argocd/app-of-apps/** and are applied at the **end**
# of **ansible/playbooks/noble.yml** (play **tasks:** → **noble_argocd** `applications_post_platform.yml`) so
# **argocd-controller** does not SSA chart resources before **helm upgrade** (platform, authentik, trivy, …).
# **argocd-controller** does not SSA chart resources before **helm upgrade** (platform, authentik, velero, …).
#
# **noble-bootstrap-root** syncs this same path for GitOps on namespaces/datasource/VolumeSnapshotClass.
# Per-chart GitOps: each **noble-*** app under **argocd/app-of-apps/** (manual sync until you cut over).

2
clusters/noble/bootstrap/trivy/namespace.yaml
View File

@@ -1,4 +1,4 @@
# Trivy Operator — apply before Helm (Ansible **noble_trivy**).
# Trivy Operator — namespace + PSA; applied with **noble_platform** bootstrap kustomize before Argo syncs the chart.
# Scan jobs may use elevated capabilities; align with other operator namespaces.
apiVersion: v1
kind: Namespace

2
clusters/noble/bootstrap/trivy/values.yaml
View File

@@ -1,5 +1,7 @@
# Trivy Operator — in-cluster image vulnerability + config reports (Aqua trivy-operator Helm chart).
# Deploy via Argo CD: **noble-trivy-operator** (`clusters/noble/bootstrap/argocd/app-of-apps/trivy-operator-application.yaml`).
#
# Manual Helm (if not using Argo):
# helm repo add aqua https://aquasecurity.github.io/helm-charts/ && helm repo update
# kubectl apply -f clusters/noble/bootstrap/trivy/namespace.yaml
# helm upgrade --install trivy-operator aqua/trivy-operator -n trivy-system \