Update Cilium application configuration to ignore differences for hubble-server-certs Secret, add Helm value files for better management, and enhance Argo CD kustomization with resource ordering and sync options.

clusters/noble/apps/cilium/application.yaml

@@ -7,6 +7,15 @@ metadata:
     argocd.argoproj.io/sync-wave: "0"
 spec:
   project: default
+  # Helm TLS material for Hubble is rotated/generated; Argo SSA and CLI helm
+  # upgrades both touch Secret data and cause apply conflicts unless ignored.
+  ignoreDifferences:
+    - group: ""
+      kind: Secret
+      name: hubble-server-certs
+      namespace: kube-system
+      jqPathExpressions:
+        - .data
   destination:
     server: https://kubernetes.default.svc
     namespace: kube-system
@@ -15,39 +24,16 @@ spec:
       chart: cilium
       targetRevision: 1.16.6
       helm:
-        valuesObject:
-          k8sServiceHost: 192.168.50.20
-          k8sServicePort: 6443
-          cgroup:
-            autoMount:
-              enabled: false
-            hostRoot: /sys/fs/cgroup
-          ipam:
-            operator:
-              clusterPoolIPv4PodCIDRList:
-                - 10.244.0.0/16
-          securityContext:
-            capabilities:
-              ciliumAgent:
-                - CHOWN
-                - KILL
-                - NET_ADMIN
-                - NET_RAW
-                - IPC_LOCK
-                - SYS_ADMIN
-                - SYS_RESOURCE
-                - DAC_OVERRIDE
-                - FOWNER
-                - SETGID
-                - SETUID
-              cleanCiliumState:
-                - NET_ADMIN
-                - SYS_ADMIN
-                - SYS_RESOURCE
+        valueFiles:
+          - $values/clusters/noble/apps/cilium/helm-values.yaml
+    - repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git
+      targetRevision: HEAD
+      ref: values
   syncPolicy:
     automated:
       prune: true
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
+      - RespectIgnoreDifferences=true