Refactor Argo CD application management by removing the obsolete root-application.yaml and updating the bootstrap-root-application.yaml to include optional add-on Application manifests from clusters/noble/apps. Adjust documentation to clarify the deployment order and resource ownership, ensuring a streamlined GitOps process with Ansible and Argo CD.

clusters/noble/bootstrap/argocd/README.md

@@ -52,20 +52,19 @@ Use **Settings → Repositories** in the UI, or `argocd repo add` / a `Secret` o
 
 ## 4. App-of-apps (GitOps)
 
-**Ansible** (`ansible/playbooks/noble.yml`) runs **`kubectl apply -k clusters/noble/bootstrap`** from **`noble_platform`**, then Helm for the platform stack, **then** **`noble_authentik`**, **`noble_velero`**, and **only then** (play **`tasks:`**) **`noble_argocd`** `applications_post_platform.yml` applies **`root-application.yaml`**, **`bootstrap-root-application.yaml`**, and **`kubectl apply -k clusters/noble/bootstrap/argocd/app-of-apps`**. **Trivy Operator** is **not** installed by Ansible; sync the **`noble-trivy-operator`** leaf app (or enable automation) after **`noble.yml`**. That order keeps **Ansible Helm first** and lets Argo **take ownership** when you sync or enable automation (no premature SSA vs Helm).
+**Ansible** (`ansible/playbooks/noble.yml`) runs **`kubectl apply -k clusters/noble/bootstrap`** from **`noble_platform`**, then Helm for the platform stack, **then** **`noble_authentik`**, **`noble_velero`**, and **only then** (play **`tasks:`**) **`noble_argocd`** `applications_post_platform.yml` applies **`bootstrap-root-application.yaml`**, and **`kubectl apply -k clusters/noble/bootstrap/argocd/app-of-apps`**. **Trivy Operator** is **not** installed by Ansible; sync the **`noble-trivy-operator`** leaf app (or enable automation) after **`noble.yml`**. That order keeps **Ansible Helm first** and lets Argo **take ownership** when you sync or enable automation (no premature SSA vs Helm).
 
-1. Edit **`root-application.yaml`** and **`bootstrap-root-application.yaml`**: set **`repoURL`** and **`targetRevision`**. The **`resources-finalizer.argocd.argoproj.io/background`** finalizer uses Argo’s path-qualified form so **`kubectl apply`** does not warn about finalizer names.
-2. Optional add-on apps: add **`Application`** manifests under **`clusters/noble/apps/`** (see **`clusters/noble/apps/README.md`**).
-3. **Bootstrap kustomize** (namespaces, datasource, etc.): **`noble-bootstrap-root`** syncs **`clusters/noble/bootstrap`** (no **`argocd/app-of-apps/`** in that kustomization). Leaf **`Application`** manifests live under **`argocd/app-of-apps/`**; Ansible applies that directory **after** all **`noble_*`** Helm roles in **`noble.yml`** (see §4) so Argo does not SSA charts before Helm. The root app uses **manual** sync; each leaf app is **manual** until you enable automation (see **§5**).
+1. Edit **`bootstrap-root-application.yaml`**: set **`repoURL`** and **`targetRevision`**. The **`resources-finalizer.argocd.argoproj.io/background`** finalizer uses Argo’s path-qualified form so **`kubectl apply`** does not warn about finalizer names.
+2. Optional add-on apps: add a subdirectory under **`clusters/noble/apps/`** with its own **`kustomization.yaml`** (see **`clusters/noble/apps/README.md`**). The bootstrap kustomization includes **`../apps`**, so **`noble-bootstrap-root`** applies them with the rest of bootstrap static YAML.
+3. **Bootstrap kustomize** (namespaces, datasource, optional **`clusters/noble/apps`**, etc.): **`noble-bootstrap-root`** syncs **`clusters/noble/bootstrap`**. Leaf chart **`Application`** manifests for core charts live under **`argocd/app-of-apps/`**; Ansible applies that directory **after** all **`noble_*`** Helm roles in **`noble.yml`** (see §4) so Argo does not SSA charts before Helm. The bootstrap root app uses **manual** sync; each leaf app is **manual** until you enable automation (see **§5**).
 
-   **`ansible/playbooks/noble.yml`**: roles **`noble_argocd`** (Argo Helm only), **`noble_platform`**, **`noble_authentik`**, **`noble_velero`**, then play **`tasks`** run **`applications_post_platform`** when **`noble_argocd_apply_*`** flags are set in **`ansible/inventory/group_vars/all.yml`**. Trivy is deployed only via Argo (**`noble-trivy-operator`**).
+   **`ansible/playbooks/noble.yml`**: roles **`noble_argocd`** (Argo Helm only), **`noble_platform`**, **`noble_authentik`**, **`noble_velero`**, then play **`tasks`** run **`applications_post_platform`** when **`noble_argocd_apply_bootstrap_root_application`** is set in **`ansible/inventory/group_vars/all.yml`**. Trivy is deployed only via Argo (**`noble-trivy-operator`**).
 
    ```bash
-   kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml
    kubectl apply -f clusters/noble/bootstrap/argocd/bootstrap-root-application.yaml
    ```
 
-If you migrated from older GitOps **`Application`** names, delete stale **`Application`** objects on the cluster (see **`clusters/noble/apps/README.md`**) then re-apply the roots.
+If you migrated from older GitOps **`Application`** names, delete stale **`Application`** objects on the cluster (see **`clusters/noble/apps/README.md`**) then re-apply the bootstrap root.
 
 **Trivy (`noble-trivy-operator`):** If an older install left an orphan **`ServiceMonitor`** named **`trivy-operator`** in **`monitoring`** (missing `meta.helm.sh/release-*` annotations), Helm/Argo will refuse to adopt it. Delete once, then sync **`noble-trivy-operator`**:
 

clusters/noble/bootstrap/argocd/bootstrap-root-application.yaml

@@ -1,6 +1,8 @@
 # **noble-bootstrap-root** — Kustomize for **clusters/noble/bootstrap** (namespaces, Grafana datasource,
-# VolumeSnapshotClass, etc.). Leaf **Application** CRs under **argocd/app-of-apps/** are **not** in this
-# path; Ansible applies them after all **noble.yml** Helm roles (see play **tasks:** → **applications_post_platform.yml**).
+# VolumeSnapshotClass, etc.) plus **clusters/noble/apps** (optional leaf **Application** / namespace YAML),
+# included via **bootstrap/kustomization.yaml** → **../apps**. Leaf chart **Application** CRs under
+# **argocd/app-of-apps/** are **not** in this path; Ansible applies them after all **noble.yml** Helm roles
+# (see play **tasks:** → **applications_post_platform.yml**).
 #
 # **Initial deploy:** Ansible is the only writer; **automated sync is off** so Argo does not reconcile
 # during **noble.yml**. **After** the playbook finishes, enable automated sync (see **README.md** §5)

clusters/noble/bootstrap/argocd/root-application.yaml

@@ -1,35 +0,0 @@
-# App-of-apps root — apply after Argo CD is running (optional).
-#
-# 1. Set spec.source.repoURL (and targetRevision — **HEAD** tracks the remote default branch) to this repo.
-# 2. kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml
-#
-# **clusters/noble/apps** holds optional **Application** manifests. **noble_platform** applies
-# **clusters/noble/bootstrap/kustomization.yaml** (namespaces + static YAML), Helm installs, then
-# **applications_post_platform.yml** applies **bootstrap-root-application.yaml** and **argocd/app-of-apps/**.
-# **noble-bootstrap-root** tracks bootstrap kustomize (**manual** sync until README §5).
-#
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: noble-root
-  namespace: argocd
-  # Path suffix satisfies Kubernetes’ domain-qualified finalizer guidance (avoids kubectl warning).
-  # Background cascade: Application deletes after resources are removed asynchronously.
-  # See: https://argo-cd.readthedocs.io/en/stable/user-guide/app_deletion/#about-the-deletion-finalizer
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io/background
-spec:
-  project: default
-  source:
-    repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git
-    targetRevision: HEAD
-    path: clusters/noble/apps
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: argocd
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true

clusters/noble/bootstrap/argocd/values.yaml

@@ -11,7 +11,7 @@
 #
 # Initial admin password: kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d
 #
-# Optional: kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml
+# Optional: kubectl apply -f clusters/noble/bootstrap/argocd/bootstrap-root-application.yaml
 
 global:
   domain: argo.apps.noble.lab.pcenicni.dev

clusters/noble/bootstrap/kustomization.yaml

@@ -1,4 +1,4 @@
-# Ansible **noble_platform**: `kubectl apply -k` this directory (namespaces + static YAML only).
+# Ansible **noble_platform**: `kubectl apply -k` this directory (namespaces + static YAML + **../apps** optional Argo leaf Applications).
 # Leaf Argo **Application** manifests live under **argocd/app-of-apps/** and are applied at the **end**
 # of **ansible/playbooks/noble.yml** (play **tasks:** → **noble_argocd** `applications_post_platform.yml`) so
 # **argocd-controller** does not SSA chart resources before **helm upgrade** (platform, authentik, velero, …).
@@ -19,4 +19,5 @@ resources:
   - velero/namespace.yaml
   - velero/longhorn-volumesnapshotclass.yaml
   - headlamp/namespace.yaml
+  - ../apps
   - grafana-loki-datasource/loki-datasource.yaml