From c148454e91664f7344caa87b6cefa51d63d27469 Mon Sep 17 00:00:00 2001
From: Nikholas Pcenicni <82239765+nikpcenicni@users.noreply.github.com>
Date: Sat, 28 Mar 2026 02:05:09 -0400
Subject: [PATCH] Refine Argo CD documentation and configuration. Update
 README.md to clarify the relationship between noble-root and child
 applications, and enhance instructions for syncing workloads. Modify
 root-application.yaml to specify the use of kustomization.yaml for cluster
 workloads. Adjust values.yaml to enable Helm inflation for Kustomize charts.
 Update apps/README.md to streamline application management and clarify
 deployment processes.

---
 clusters/noble/apps/kustomization.yaml        | 77 +++++++++++++++++++
 clusters/noble/bootstrap/argocd/README.md     |  2 +-
 .../noble/bootstrap/argocd/apps/README.md     |  9 +--
 .../bootstrap/argocd/apps/noble-platform.yaml | 27 +++++++
 .../bootstrap/argocd/root-application.yaml    |  5 +-
 clusters/noble/bootstrap/argocd/values.yaml   |  3 +
 6 files changed, 114 insertions(+), 9 deletions(-)
 create mode 100644 clusters/noble/apps/kustomization.yaml
 create mode 100644 clusters/noble/bootstrap/argocd/apps/noble-platform.yaml

diff --git a/clusters/noble/apps/kustomization.yaml b/clusters/noble/apps/kustomization.yaml
new file mode 100644
index 0000000..296d13e
--- /dev/null
+++ b/clusters/noble/apps/kustomization.yaml
@@ -0,0 +1,77 @@
+# Umbrella for Argo CD Application **noble-platform** — one sync target for core Helm releases
+# plus shared manifests. Per-app READMEs keep manual **`helm upgrade --install`** commands;
+# **values.yaml** paths match those commands.
+#
+# Requires repo-server Kustomize **--enable-helm** (see **bootstrap/argocd/values.yaml**).
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - kube-prometheus-stack/namespace.yaml
+  - loki/namespace.yaml
+  - fluent-bit/namespace.yaml
+  - sealed-secrets/namespace.yaml
+  - external-secrets/namespace.yaml
+  - vault/namespace.yaml
+  - kyverno/namespace.yaml
+  - headlamp/namespace.yaml
+  - grafana-loki-datasource/loki-datasource.yaml
+  - vault/unseal-cronjob.yaml
+  - vault/cilium-network-policy.yaml
+
+helmCharts:
+  - name: kube-prometheus-stack
+    repo: https://prometheus-community.github.io/helm-charts
+    version: 82.15.1
+    releaseName: kube-prometheus
+    namespace: monitoring
+    valuesFile: kube-prometheus-stack/values.yaml
+    includeCRDs: true
+  - name: loki
+    repo: https://grafana.github.io/helm-charts
+    version: 6.55.0
+    releaseName: loki
+    namespace: loki
+    valuesFile: loki/values.yaml
+  - name: fluent-bit
+    repo: https://fluent.github.io/helm-charts
+    version: 0.56.0
+    releaseName: fluent-bit
+    namespace: logging
+    valuesFile: fluent-bit/values.yaml
+  - name: sealed-secrets
+    repo: https://bitnami-labs.github.io/sealed-secrets
+    version: 2.18.4
+    releaseName: sealed-secrets
+    namespace: sealed-secrets
+    valuesFile: sealed-secrets/values.yaml
+  - name: external-secrets
+    repo: https://charts.external-secrets.io
+    version: 2.2.0
+    releaseName: external-secrets
+    namespace: external-secrets
+    valuesFile: external-secrets/values.yaml
+  - name: vault
+    repo: https://helm.releases.hashicorp.com
+    version: 0.32.0
+    releaseName: vault
+    namespace: vault
+    valuesFile: vault/values.yaml
+  - name: kyverno
+    repo: https://kyverno.github.io/kyverno/
+    version: 3.7.1
+    releaseName: kyverno
+    namespace: kyverno
+    valuesFile: kyverno/values.yaml
+  - name: kyverno-policies
+    repo: https://kyverno.github.io/kyverno/
+    version: 3.7.1
+    releaseName: kyverno-policies
+    namespace: kyverno
+    valuesFile: kyverno/policies-values.yaml
+  - name: headlamp
+    repo: https://kubernetes-sigs.github.io/headlamp/
+    version: 0.40.1
+    releaseName: headlamp
+    namespace: headlamp
+    valuesFile: headlamp/values.yaml
diff --git a/clusters/noble/bootstrap/argocd/README.md b/clusters/noble/bootstrap/argocd/README.md
index f3801f9..a74f165 100644
--- a/clusters/noble/bootstrap/argocd/README.md
+++ b/clusters/noble/bootstrap/argocd/README.md
@@ -49,7 +49,7 @@ Use **Settings → Repositories** in the UI, or `argocd repo add` / a `Secret` o
    kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml
    ```
 
-Until **`apps/`** contains valid **`Application`** resources, the root app may show **OutOfSync** or sync nothing — that is expected.
+**`apps/noble-platform.yaml`** points at **`clusters/noble/apps`** (see **`kustomization.yaml`** there). After **`values.yaml`** changes that affect repo-server (e.g. **`kustomize.buildOptions`**), run **`helm upgrade`** for Argo CD again.
 
 ## Versions
 
diff --git a/clusters/noble/bootstrap/argocd/apps/README.md b/clusters/noble/bootstrap/argocd/apps/README.md
index 14e4af0..cbfc067 100644
--- a/clusters/noble/bootstrap/argocd/apps/README.md
+++ b/clusters/noble/bootstrap/argocd/apps/README.md
@@ -1,10 +1,7 @@
 # Argo CD — app-of-apps children
 
-Add **`Application`** manifests here (one file per workload or group). The **`noble-root`** Application in the parent directory syncs this folder.
+**`noble-root`** syncs this directory. Keep **one** child Application (**`noble-platform`**) so the UI does not list every Helm release separately.
 
-Example patterns:
+- **`noble-platform.yaml`** — syncs **`clusters/noble/apps`** via **`kustomization.yaml`** (namespaces, extra YAML, and **helmCharts** with the same **`values.yaml`** files as the manual install commands in each app README).
 
-- **Helm:** `spec.source` with `chart`, `repoURL` (Helm repo), and `helm.valueFiles` pointing at paths in the same git repo.
-- **Kustomize / plain manifests:** `spec.source.path` to a directory of YAML.
-
-The historical **`clusters/noble/apps/*`** tree is written for **manual `helm upgrade`**; migrating each app to an Argo CD `Application` is optional follow-up work.
+After changing **`clusters/noble/bootstrap/argocd/values.yaml`** (e.g. **`kustomize.buildOptions`**), roll the Argo CD Helm release so repo-server picks up the new ConfigMap.
diff --git a/clusters/noble/bootstrap/argocd/apps/noble-platform.yaml b/clusters/noble/bootstrap/argocd/apps/noble-platform.yaml
new file mode 100644
index 0000000..7263623
--- /dev/null
+++ b/clusters/noble/bootstrap/argocd/apps/noble-platform.yaml
@@ -0,0 +1,27 @@
+# Noble cluster workloads — one Application so the Argo CD UI stays a single “platform” row
+# under **noble-root** (app-of-apps). Renders **clusters/noble/apps** (Kustomize + Helm).
+#
+# Adopting existing manual Helm releases: release names and namespaces must match
+# **clusters/noble/apps/kustomization.yaml** (same as the README install commands).
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: noble-platform
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io/background
+spec:
+  project: default
+  source:
+    repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git
+    targetRevision: main
+    path: clusters/noble/apps
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/clusters/noble/bootstrap/argocd/root-application.yaml b/clusters/noble/bootstrap/argocd/root-application.yaml
index 0547bb6..f6f3652 100644
--- a/clusters/noble/bootstrap/argocd/root-application.yaml
+++ b/clusters/noble/bootstrap/argocd/root-application.yaml
@@ -3,8 +3,9 @@
 # 1. Set spec.source.repoURL (and targetRevision) to this git repository.
 # 2. kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml
 #
-# Syncs **Application** YAMLs under **apps/** (add workloads there). Do **not**
-# point at **clusters/noble/apps/** — that tree is Helm values for manual installs.
+# Syncs **Application** YAMLs under **apps/** (today: **noble-platform**). Cluster
+# workloads are defined by **clusters/noble/apps/kustomization.yaml** (Kustomize +
+# Helm); per-app **values.yaml** and READMEs stay the source of truth for versions.
 #
 apiVersion: argoproj.io/v1alpha1
 kind: Application
diff --git a/clusters/noble/bootstrap/argocd/values.yaml b/clusters/noble/bootstrap/argocd/values.yaml
index b606dab..7037af5 100644
--- a/clusters/noble/bootstrap/argocd/values.yaml
+++ b/clusters/noble/bootstrap/argocd/values.yaml
@@ -17,6 +17,9 @@ global:
   domain: argo.apps.noble.lab.pcenicni.dev
 
 configs:
+  # Kustomize **helmCharts** in **clusters/noble/apps/kustomization.yaml** need Helm inflation.
+  cm:
+    kustomize.buildOptions: --enable-helm
   params:
     # TLS terminates at Traefik / cert-manager; Argo CD serves HTTP behind the Ingress.
     server.insecure: true