From d206a590abfc26449f0bd94a8e6c0001c366e15d Mon Sep 17 00:00:00 2001
From: Nikholas Pcenicni <82239765+nikpcenicni@users.noreply.github.com>
Date: Wed, 13 May 2026 17:06:37 -0400
Subject: [PATCH] Enhance hubble-server-certs management for Argo CD by adding
 a new configuration option and updating tasks to ensure compatibility with
 older kubectl versions. This includes improved handling of managed fields for
 Helm SSA conflict resolution.

---
 ansible/roles/noble_cilium/defaults/main.yml | 8 ++++++--
 ansible/roles/noble_cilium/tasks/main.yml    | 6 ++++--
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/ansible/roles/noble_cilium/defaults/main.yml b/ansible/roles/noble_cilium/defaults/main.yml
index cbb5bb3..c4e34e8 100644
--- a/ansible/roles/noble_cilium/defaults/main.yml
+++ b/ansible/roles/noble_cilium/defaults/main.yml
@@ -1,4 +1,8 @@
 ---
-# When true, delete **kube-system/hubble-server-certs** if its **managedFields** show **argocd-controller**
-# (recover from Helm SSA conflicts after Argo synced Cilium before Ansible).
+# When true, delete **kube-system/hubble-server-certs** if **managedFields** show **argocd-controller**
+# (recover from Helm SSA conflicts after Argo synced Cilium before Ansible). Requires **kubectl** with
+# **--show-managed-fields** on the pre-check (see tasks).
 noble_cilium_repair_argo_ssa_on_hubble_secret: true
+# When true, delete **hubble-server-certs** whenever it exists (before Helm). Use only if the Argo check
+# still does not fire (older kubectl) or you need a one-shot cleanup.
+noble_cilium_delete_hubble_server_certs_if_present: false
diff --git a/ansible/roles/noble_cilium/tasks/main.yml b/ansible/roles/noble_cilium/tasks/main.yml
index 5e8fae3..bcca2a3 100644
--- a/ansible/roles/noble_cilium/tasks/main.yml
+++ b/ansible/roles/noble_cilium/tasks/main.yml
@@ -1,6 +1,7 @@
 ---
 # Argo may have server-side-applied chart-owned Secrets during earlier runs; Helm then fails with
-# "conflict with argocd-controller". Drop the Secret only when that manager is present.
+# "conflict with argocd-controller". **kubectl** omits **managedFields** unless **--show-managed-fields=true**.
+# We delete the Secret only when **argocd-controller** appears there (or set **noble_cilium_delete_hubble_server_certs_if_present**).
 - name: Read hubble-server-certs Secret (if any) for SSA repair
   ansible.builtin.command:
     argv:
@@ -10,6 +11,7 @@
       - hubble-server-certs
       - -n
       - kube-system
+      - --show-managed-fields=true
       - -o
       - json
   environment:
@@ -35,7 +37,7 @@
     - noble_cilium_repair_argo_ssa_on_hubble_secret | default(true) | bool
     - not (noble_cilium_hubble_secret_json.skipped | default(false))
     - noble_cilium_hubble_secret_json.rc | default(-1) | int == 0
-    - '"argocd-controller" in (noble_cilium_hubble_secret_json.stdout | default(""))'
+    - (noble_cilium_delete_hubble_server_certs_if_present | default(false) | bool) or ("argocd-controller" in (noble_cilium_hubble_secret_json.stdout | default("")))
   changed_when: true
 
 - name: Install Cilium (required CNI for Talos cni:none)