Refine Argo CD documentation and configuration. Update README.md to clarify the relationship between noble-root and child applications, and enhance instructions for syncing workloads. Modify root-application.yaml to specify the use of kustomization.yaml for cluster workloads. Adjust values.yaml to enable Helm inflation for Kustomize charts. Update apps/README.md to streamline application management and clarify deployment processes.

clusters/noble/apps/kustomization.yaml

@@ -0,0 +1,77 @@
+# Umbrella for Argo CD Application **noble-platform** — one sync target for core Helm releases
+# plus shared manifests. Per-app READMEs keep manual **`helm upgrade --install`** commands;
+# **values.yaml** paths match those commands.
+#
+# Requires repo-server Kustomize **--enable-helm** (see **bootstrap/argocd/values.yaml**).
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - kube-prometheus-stack/namespace.yaml
+  - loki/namespace.yaml
+  - fluent-bit/namespace.yaml
+  - sealed-secrets/namespace.yaml
+  - external-secrets/namespace.yaml
+  - vault/namespace.yaml
+  - kyverno/namespace.yaml
+  - headlamp/namespace.yaml
+  - grafana-loki-datasource/loki-datasource.yaml
+  - vault/unseal-cronjob.yaml
+  - vault/cilium-network-policy.yaml
+
+helmCharts:
+  - name: kube-prometheus-stack
+    repo: https://prometheus-community.github.io/helm-charts
+    version: 82.15.1
+    releaseName: kube-prometheus
+    namespace: monitoring
+    valuesFile: kube-prometheus-stack/values.yaml
+    includeCRDs: true
+  - name: loki
+    repo: https://grafana.github.io/helm-charts
+    version: 6.55.0
+    releaseName: loki
+    namespace: loki
+    valuesFile: loki/values.yaml
+  - name: fluent-bit
+    repo: https://fluent.github.io/helm-charts
+    version: 0.56.0
+    releaseName: fluent-bit
+    namespace: logging
+    valuesFile: fluent-bit/values.yaml
+  - name: sealed-secrets
+    repo: https://bitnami-labs.github.io/sealed-secrets
+    version: 2.18.4
+    releaseName: sealed-secrets
+    namespace: sealed-secrets
+    valuesFile: sealed-secrets/values.yaml
+  - name: external-secrets
+    repo: https://charts.external-secrets.io
+    version: 2.2.0
+    releaseName: external-secrets
+    namespace: external-secrets
+    valuesFile: external-secrets/values.yaml
+  - name: vault
+    repo: https://helm.releases.hashicorp.com
+    version: 0.32.0
+    releaseName: vault
+    namespace: vault
+    valuesFile: vault/values.yaml
+  - name: kyverno
+    repo: https://kyverno.github.io/kyverno/
+    version: 3.7.1
+    releaseName: kyverno
+    namespace: kyverno
+    valuesFile: kyverno/values.yaml
+  - name: kyverno-policies
+    repo: https://kyverno.github.io/kyverno/
+    version: 3.7.1
+    releaseName: kyverno-policies
+    namespace: kyverno
+    valuesFile: kyverno/policies-values.yaml
+  - name: headlamp
+    repo: https://kubernetes-sigs.github.io/headlamp/
+    version: 0.40.1
+    releaseName: headlamp
+    namespace: headlamp
+    valuesFile: headlamp/values.yaml

clusters/noble/bootstrap/argocd/README.md

@@ -49,7 +49,7 @@ Use **Settings → Repositories** in the UI, or `argocd repo add` / a `Secret` o
    kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml
    ```
 
-Until **`apps/`** contains valid **`Application`** resources, the root app may show **OutOfSync** or sync nothing — that is expected.
+**`apps/noble-platform.yaml`** points at **`clusters/noble/apps`** (see **`kustomization.yaml`** there). After **`values.yaml`** changes that affect repo-server (e.g. **`kustomize.buildOptions`**), run **`helm upgrade`** for Argo CD again.
 
 ## Versions
 

clusters/noble/bootstrap/argocd/apps/README.md

@@ -1,10 +1,7 @@
 # Argo CD — app-of-apps children
 
-Add **`Application`** manifests here (one file per workload or group). The **`noble-root`** Application in the parent directory syncs this folder.
+**`noble-root`** syncs this directory. Keep **one** child Application (**`noble-platform`**) so the UI does not list every Helm release separately.
 
-Example patterns:
+- **`noble-platform.yaml`** — syncs **`clusters/noble/apps`** via **`kustomization.yaml`** (namespaces, extra YAML, and **helmCharts** with the same **`values.yaml`** files as the manual install commands in each app README).
 
-- **Helm:** `spec.source` with `chart`, `repoURL` (Helm repo), and `helm.valueFiles` pointing at paths in the same git repo.
+After changing **`clusters/noble/bootstrap/argocd/values.yaml`** (e.g. **`kustomize.buildOptions`**), roll the Argo CD Helm release so repo-server picks up the new ConfigMap.
-- **Kustomize / plain manifests:** `spec.source.path` to a directory of YAML.
-
-The historical **`clusters/noble/apps/*`** tree is written for **manual `helm upgrade`**; migrating each app to an Argo CD `Application` is optional follow-up work.

clusters/noble/bootstrap/argocd/apps/noble-platform.yaml

@@ -0,0 +1,27 @@
+# Noble cluster workloads — one Application so the Argo CD UI stays a single “platform” row
+# under **noble-root** (app-of-apps). Renders **clusters/noble/apps** (Kustomize + Helm).
+#
+# Adopting existing manual Helm releases: release names and namespaces must match
+# **clusters/noble/apps/kustomization.yaml** (same as the README install commands).
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: noble-platform
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io/background
+spec:
+  project: default
+  source:
+    repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git
+    targetRevision: main
+    path: clusters/noble/apps
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

clusters/noble/bootstrap/argocd/root-application.yaml

@@ -3,8 +3,9 @@
 # 1. Set spec.source.repoURL (and targetRevision) to this git repository.
 # 2. kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml
 #
-# Syncs **Application** YAMLs under **apps/** (add workloads there). Do **not**
+# Syncs **Application** YAMLs under **apps/** (today: **noble-platform**). Cluster
-# point at **clusters/noble/apps/** — that tree is Helm values for manual installs.
+# workloads are defined by **clusters/noble/apps/kustomization.yaml** (Kustomize +
+# Helm); per-app **values.yaml** and READMEs stay the source of truth for versions.
 #
 apiVersion: argoproj.io/v1alpha1
 kind: Application

clusters/noble/bootstrap/argocd/values.yaml

@@ -17,6 +17,9 @@ global:
   domain: argo.apps.noble.lab.pcenicni.dev
 
 configs:
+  # Kustomize **helmCharts** in **clusters/noble/apps/kustomization.yaml** need Helm inflation.
+  cm:
+    kustomize.buildOptions: --enable-helm
   params:
     # TLS terminates at Traefik / cert-manager; Argo CD serves HTTP behind the Ingress.
     server.insecure: true