Enhance hubble-server-certs management for Argo CD by adding a new configuration option and updating tasks to ensure compatibility with older kubectl versions. This includes improved handling of managed fields for Helm SSA conflict resolution.

ansible/roles/noble_cilium/tasks/main.yml

@@ -1,6 +1,7 @@
 ---
 # Argo may have server-side-applied chart-owned Secrets during earlier runs; Helm then fails with
-# "conflict with argocd-controller". Drop the Secret only when that manager is present.
+# "conflict with argocd-controller". **kubectl** omits **managedFields** unless **--show-managed-fields=true**.
+# We delete the Secret only when **argocd-controller** appears there (or set **noble_cilium_delete_hubble_server_certs_if_present**).
 - name: Read hubble-server-certs Secret (if any) for SSA repair
   ansible.builtin.command:
     argv:
@@ -10,6 +11,7 @@
       - hubble-server-certs
       - -n
       - kube-system
+      - --show-managed-fields=true
       - -o
       - json
   environment:
@@ -35,7 +37,7 @@
     - noble_cilium_repair_argo_ssa_on_hubble_secret | default(true) | bool
     - not (noble_cilium_hubble_secret_json.skipped | default(false))
     - noble_cilium_hubble_secret_json.rc | default(-1) | int == 0
-    - '"argocd-controller" in (noble_cilium_hubble_secret_json.stdout | default(""))'
+    - (noble_cilium_delete_hubble_server_certs_if_present | default(false) | bool) or ("argocd-controller" in (noble_cilium_hubble_secret_json.stdout | default("")))
   changed_when: true
 
 - name: Install Cilium (required CNI for Talos cni:none)