Update Argo CD application configurations for noble-platform to include sync wave annotations and enhance documentation. Remove redundant Helm chart definitions, clarify application roles in README.md, and implement retry logic for improved deployment resilience.

clusters/noble/bootstrap/argocd/apps/README.md

@@ -1,3 +1,11 @@
 # Argo CD — app-of-apps children
 
-**`noble-root`** syncs this directory. **`noble-platform`** is the only child Application: **Helm** chart sources + Git **`ref: values`** for **`$values`** paths + Git **`path`** for plain **Kustomize** under **`clusters/noble/apps`** (no **`helmCharts`** in **`kustomization.yaml`**, so repo-server does **not** need **`kustomize --enable-helm`**).
+**`noble-root`** syncs this directory. Order matters for **Kyverno** webhooks:
+
+| Application | Sync wave | Role |
+|-------------|-----------|------|
+| **`noble-kyverno`** | `0` | Kyverno operator only |
+| **`noble-kyverno-policies`** | `1` | `kyverno-policies` chart (after operator) |
+| **`noble-platform`** | `2` | Sealed Secrets, ESO, Vault, observability, Headlamp + Git/Kustomize |
+
+**`noble-platform`** uses **Helm** `sources` + Git **`ref`/`path`**; **`clusters/noble/apps/kustomization.yaml`** is plain resources (no **`helmCharts`**).

clusters/noble/bootstrap/argocd/apps/noble-kyverno-policies.yaml

@@ -0,0 +1,40 @@
+# Kyverno policy chart — after operator is up (sync wave 1). Retries help if webhooks were still starting.
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: noble-kyverno-policies
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io/background
+spec:
+  project: default
+  sources:
+    - repoURL: https://kyverno.github.io/kyverno/
+      chart: kyverno-policies
+      targetRevision: "3.7.1"
+      helm:
+        releaseName: kyverno-policies
+        namespace: kyverno
+        valueFiles:
+          - $values/clusters/noble/apps/kyverno/policies-values.yaml
+    - repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git
+      targetRevision: HEAD
+      ref: values
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
+    retry:
+      limit: 10
+      backoff:
+        duration: 15s
+        factor: 2
+        maxDuration: 5m

clusters/noble/bootstrap/argocd/apps/noble-kyverno.yaml

@@ -0,0 +1,35 @@
+# Kyverno operator only — must apply before policies and before workloads that hit webhooks.
+# Sync wave 0 under **noble-root** (lower number runs first).
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: noble-kyverno
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io/background
+spec:
+  project: default
+  sources:
+    - repoURL: https://kyverno.github.io/kyverno/
+      chart: kyverno
+      targetRevision: "3.7.1"
+      helm:
+        releaseName: kyverno
+        namespace: kyverno
+        valueFiles:
+          - $values/clusters/noble/apps/kyverno/values.yaml
+    - repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git
+      targetRevision: HEAD
+      ref: values
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

clusters/noble/bootstrap/argocd/apps/noble-platform.yaml

@@ -1,8 +1,4 @@
-# Multi-source: native Helm (no Kustomize helmCharts → no **--enable-helm**). One Git source uses
-# **ref: values** (for **$values/...**) and **path** (Kustomize) together — see multiple_sources docs.
-#
-# Helm order: Kyverno before kube-prometheus so policy webhooks can resolve during sync; see
-# **kube-prometheus-stack/values.yaml** (cert-manager admission TLS — avoids Kyverno failing pre-hook Jobs).
+# Platform workloads (no Kyverno — those are **noble-kyverno** + **noble-kyverno-policies**). Sync wave 2.
 #
 # https://argo-cd.readthedocs.io/en/stable/user-guide/multiple_sources/
 apiVersion: argoproj.io/v1alpha1
@@ -10,27 +6,13 @@ kind: Application
 metadata:
   name: noble-platform
   namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "2"
   finalizers:
     - resources-finalizer.argocd.argoproj.io/background
 spec:
   project: default
   sources:
-    - repoURL: https://kyverno.github.io/kyverno/
-      chart: kyverno
-      targetRevision: "3.7.1"
-      helm:
-        releaseName: kyverno
-        namespace: kyverno
-        valueFiles:
-          - $values/clusters/noble/apps/kyverno/values.yaml
-    - repoURL: https://kyverno.github.io/kyverno/
-      chart: kyverno-policies
-      targetRevision: "3.7.1"
-      helm:
-        releaseName: kyverno-policies
-        namespace: kyverno
-        valueFiles:
-          - $values/clusters/noble/apps/kyverno/policies-values.yaml
     - repoURL: https://bitnami-labs.github.io/sealed-secrets
       chart: sealed-secrets
       targetRevision: "2.18.4"
@@ -101,3 +83,9 @@ spec:
     syncOptions:
       - CreateNamespace=true
       - ServerSideApply=true
+    retry:
+      limit: 10
+      backoff:
+        duration: 15s
+        factor: 2
+        maxDuration: 5m

clusters/noble/bootstrap/argocd/root-application.yaml

@@ -3,7 +3,7 @@
 # 1. Set spec.source.repoURL (and targetRevision — **HEAD** tracks the remote default branch) to this repo.
 # 2. kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml
 #
-# Syncs **Application** YAMLs under **apps/** (today: **noble-platform**). Cluster
+# Syncs **Application** YAMLs under **apps/** (**noble-kyverno**, **noble-kyverno-policies**, **noble-platform**). Cluster
 # workloads: **apps/noble-platform.yaml** (Helm chart sources + Git/Kustomize); **clusters/noble/apps/**
 # holds **values.yaml** and plain **kustomization.yaml** (resources only). Per-app READMEs stay the source of truth for versions.
 #