From ee7669c78816bb5e34397db6500d6e5b11f33c57 Mon Sep 17 00:00:00 2001
From: Nikholas Pcenicni <82239765+nikpcenicni@users.noreply.github.com>
Date: Sat, 28 Mar 2026 02:29:23 -0400
Subject: [PATCH] Update Argo CD application configurations for noble-platform
 to include sync wave annotations and enhance documentation. Remove redundant
 Helm chart definitions, clarify application roles in README.md, and implement
 retry logic for improved deployment resilience.

---
 .../noble/bootstrap/argocd/apps/README.md     | 10 ++++-
 .../argocd/apps/noble-kyverno-policies.yaml   | 40 +++++++++++++++++++
 .../bootstrap/argocd/apps/noble-kyverno.yaml  | 35 ++++++++++++++++
 .../bootstrap/argocd/apps/noble-platform.yaml | 30 +++++---------
 .../bootstrap/argocd/root-application.yaml    |  2 +-
 5 files changed, 94 insertions(+), 23 deletions(-)
 create mode 100644 clusters/noble/bootstrap/argocd/apps/noble-kyverno-policies.yaml
 create mode 100644 clusters/noble/bootstrap/argocd/apps/noble-kyverno.yaml

diff --git a/clusters/noble/bootstrap/argocd/apps/README.md b/clusters/noble/bootstrap/argocd/apps/README.md
index 10c9d94..8c83d56 100644
--- a/clusters/noble/bootstrap/argocd/apps/README.md
+++ b/clusters/noble/bootstrap/argocd/apps/README.md
@@ -1,3 +1,11 @@
 # Argo CD — app-of-apps children
 
-**`noble-root`** syncs this directory. **`noble-platform`** is the only child Application: **Helm** chart sources + Git **`ref: values`** for **`$values`** paths + Git **`path`** for plain **Kustomize** under **`clusters/noble/apps`** (no **`helmCharts`** in **`kustomization.yaml`**, so repo-server does **not** need **`kustomize --enable-helm`**).
+**`noble-root`** syncs this directory. Order matters for **Kyverno** webhooks:
+
+| Application | Sync wave | Role |
+|-------------|-----------|------|
+| **`noble-kyverno`** | `0` | Kyverno operator only |
+| **`noble-kyverno-policies`** | `1` | `kyverno-policies` chart (after operator) |
+| **`noble-platform`** | `2` | Sealed Secrets, ESO, Vault, observability, Headlamp + Git/Kustomize |
+
+**`noble-platform`** uses **Helm** `sources` + Git **`ref`/`path`**; **`clusters/noble/apps/kustomization.yaml`** is plain resources (no **`helmCharts`**).
diff --git a/clusters/noble/bootstrap/argocd/apps/noble-kyverno-policies.yaml b/clusters/noble/bootstrap/argocd/apps/noble-kyverno-policies.yaml
new file mode 100644
index 0000000..d69b41d
--- /dev/null
+++ b/clusters/noble/bootstrap/argocd/apps/noble-kyverno-policies.yaml
@@ -0,0 +1,40 @@
+# Kyverno policy chart — after operator is up (sync wave 1). Retries help if webhooks were still starting.
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: noble-kyverno-policies
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io/background
+spec:
+  project: default
+  sources:
+    - repoURL: https://kyverno.github.io/kyverno/
+      chart: kyverno-policies
+      targetRevision: "3.7.1"
+      helm:
+        releaseName: kyverno-policies
+        namespace: kyverno
+        valueFiles:
+          - $values/clusters/noble/apps/kyverno/policies-values.yaml
+    - repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git
+      targetRevision: HEAD
+      ref: values
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
+    retry:
+      limit: 10
+      backoff:
+        duration: 15s
+        factor: 2
+        maxDuration: 5m
diff --git a/clusters/noble/bootstrap/argocd/apps/noble-kyverno.yaml b/clusters/noble/bootstrap/argocd/apps/noble-kyverno.yaml
new file mode 100644
index 0000000..13473a9
--- /dev/null
+++ b/clusters/noble/bootstrap/argocd/apps/noble-kyverno.yaml
@@ -0,0 +1,35 @@
+# Kyverno operator only — must apply before policies and before workloads that hit webhooks.
+# Sync wave 0 under **noble-root** (lower number runs first).
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: noble-kyverno
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io/background
+spec:
+  project: default
+  sources:
+    - repoURL: https://kyverno.github.io/kyverno/
+      chart: kyverno
+      targetRevision: "3.7.1"
+      helm:
+        releaseName: kyverno
+        namespace: kyverno
+        valueFiles:
+          - $values/clusters/noble/apps/kyverno/values.yaml
+    - repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git
+      targetRevision: HEAD
+      ref: values
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
diff --git a/clusters/noble/bootstrap/argocd/apps/noble-platform.yaml b/clusters/noble/bootstrap/argocd/apps/noble-platform.yaml
index 23f3793..472994a 100644
--- a/clusters/noble/bootstrap/argocd/apps/noble-platform.yaml
+++ b/clusters/noble/bootstrap/argocd/apps/noble-platform.yaml
@@ -1,8 +1,4 @@
-# Multi-source: native Helm (no Kustomize helmCharts → no **--enable-helm**). One Git source uses
-# **ref: values** (for **$values/...**) and **path** (Kustomize) together — see multiple_sources docs.
-#
-# Helm order: Kyverno before kube-prometheus so policy webhooks can resolve during sync; see
-# **kube-prometheus-stack/values.yaml** (cert-manager admission TLS — avoids Kyverno failing pre-hook Jobs).
+# Platform workloads (no Kyverno — those are **noble-kyverno** + **noble-kyverno-policies**). Sync wave 2.
 #
 # https://argo-cd.readthedocs.io/en/stable/user-guide/multiple_sources/
 apiVersion: argoproj.io/v1alpha1
@@ -10,27 +6,13 @@ kind: Application
 metadata:
   name: noble-platform
   namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "2"
   finalizers:
     - resources-finalizer.argocd.argoproj.io/background
 spec:
   project: default
   sources:
-    - repoURL: https://kyverno.github.io/kyverno/
-      chart: kyverno
-      targetRevision: "3.7.1"
-      helm:
-        releaseName: kyverno
-        namespace: kyverno
-        valueFiles:
-          - $values/clusters/noble/apps/kyverno/values.yaml
-    - repoURL: https://kyverno.github.io/kyverno/
-      chart: kyverno-policies
-      targetRevision: "3.7.1"
-      helm:
-        releaseName: kyverno-policies
-        namespace: kyverno
-        valueFiles:
-          - $values/clusters/noble/apps/kyverno/policies-values.yaml
     - repoURL: https://bitnami-labs.github.io/sealed-secrets
       chart: sealed-secrets
       targetRevision: "2.18.4"
@@ -101,3 +83,9 @@ spec:
     syncOptions:
       - CreateNamespace=true
       - ServerSideApply=true
+    retry:
+      limit: 10
+      backoff:
+        duration: 15s
+        factor: 2
+        maxDuration: 5m
diff --git a/clusters/noble/bootstrap/argocd/root-application.yaml b/clusters/noble/bootstrap/argocd/root-application.yaml
index 20eddea..d5a8c25 100644
--- a/clusters/noble/bootstrap/argocd/root-application.yaml
+++ b/clusters/noble/bootstrap/argocd/root-application.yaml
@@ -3,7 +3,7 @@
 # 1. Set spec.source.repoURL (and targetRevision — **HEAD** tracks the remote default branch) to this repo.
 # 2. kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml
 #
-# Syncs **Application** YAMLs under **apps/** (today: **noble-platform**). Cluster
+# Syncs **Application** YAMLs under **apps/** (**noble-kyverno**, **noble-kyverno-policies**, **noble-platform**). Cluster
 # workloads: **apps/noble-platform.yaml** (Helm chart sources + Git/Kustomize); **clusters/noble/apps/**
 # holds **values.yaml** and plain **kustomization.yaml** (resources only). Per-app READMEs stay the source of truth for versions.
 #