Add task to manage hubble-server-certs Secret for Argo CD compatibility, ensuring proper Helm SSA conflict resolution during deployment.

ansible/roles/noble_cilium/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+# When true, delete **kube-system/hubble-server-certs** if its **managedFields** show **argocd-controller**
+# (recover from Helm SSA conflicts after Argo synced Cilium before Ansible).
+noble_cilium_repair_argo_ssa_on_hubble_secret: true

ansible/roles/noble_cilium/tasks/main.yml

@@ -1,4 +1,43 @@
 ---
+# Argo may have server-side-applied chart-owned Secrets during earlier runs; Helm then fails with
+# "conflict with argocd-controller". Drop the Secret only when that manager is present.
+- name: Read hubble-server-certs Secret (if any) for SSA repair
+  ansible.builtin.command:
+    argv:
+      - kubectl
+      - get
+      - secret
+      - hubble-server-certs
+      - -n
+      - kube-system
+      - -o
+      - json
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  register: noble_cilium_hubble_secret_json
+  failed_when: false
+  changed_when: false
+  when: noble_cilium_repair_argo_ssa_on_hubble_secret | default(true) | bool
+
+- name: Remove hubble-server-certs when Argo is a field manager (Helm SSA conflict recovery)
+  ansible.builtin.command:
+    argv:
+      - kubectl
+      - delete
+      - secret
+      - hubble-server-certs
+      - -n
+      - kube-system
+      - --wait=false
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  when:
+    - noble_cilium_repair_argo_ssa_on_hubble_secret | default(true) | bool
+    - not (noble_cilium_hubble_secret_json.skipped | default(false))
+    - noble_cilium_hubble_secret_json.rc | default(-1) | int == 0
+    - '"argocd-controller" in (noble_cilium_hubble_secret_json.stdout | default(""))'
+  changed_when: true
+
 - name: Install Cilium (required CNI for Talos cni:none)
   ansible.builtin.command:
     argv: