Enhance Argo CD integration by adding support for a bootstrap root application. Update group_vars/all.yml and role defaults to include noble_argocd_apply_bootstrap_root_application. Modify tasks to apply the bootstrap application conditionally. Revise documentation to clarify the GitOps workflow and the relationship between the core platform and optional applications. Remove outdated references and streamline the README for better user guidance.

clusters/noble/bootstrap/argocd/README.md

@@ -50,21 +50,56 @@ helm upgrade --install argocd argo/argo-cd -n argocd --create-namespace \
 
 Use **Settings → Repositories** in the UI, or `argocd repo add` / a `Secret` of type `repository`.
 
-## 4. App-of-apps (optional GitOps only)
+## 4. App-of-apps (GitOps)
 
-Bootstrap **platform** workloads (CNI, ingress, cert-manager, Kyverno, observability, etc.) are installed by
-**`ansible/playbooks/noble.yml`** from **`clusters/noble/bootstrap/`** — not by Argo. **`clusters/noble/apps/kustomization.yaml`** is empty by default.
+**Ansible** (`ansible/playbooks/noble.yml`) performs the **initial** install: Helm releases and **`kubectl apply -k clusters/noble/bootstrap`**. **Argo** then tracks the same git paths for ongoing reconciliation.
 
-1. Edit **`root-application.yaml`**: set **`repoURL`** and **`targetRevision`** to this repository. The **`resources-finalizer.argocd.argoproj.io/background`** finalizer uses Argo’s path-qualified form so **`kubectl apply`** does not warn about finalizer names.
-2. When you want Argo to manage specific apps, add **`Application`** manifests under **`clusters/noble/apps/`** (see **`clusters/noble/apps/README.md`**).
-3. Apply the root:
+1. Edit **`root-application.yaml`** and **`bootstrap-root-application.yaml`**: set **`repoURL`** and **`targetRevision`**. The **`resources-finalizer.argocd.argoproj.io/background`** finalizer uses Argo’s path-qualified form so **`kubectl apply`** does not warn about finalizer names.
+2. Optional add-on apps: add **`Application`** manifests under **`clusters/noble/apps/`** (see **`clusters/noble/apps/README.md`**).
+3. **Bootstrap kustomize** (namespaces, datasource, leaf **`Application`**s under **`argocd/app-of-apps/`**, etc.): **`noble-bootstrap-root`** syncs **`clusters/noble/bootstrap`**. It is created with **manual** sync only so Argo does not apply changes while **`noble.yml`** is still running.
+
+   **`ansible/playbooks/noble.yml`** (role **`noble_argocd`**) applies both roots when **`noble_argocd_apply_root_application`** / **`noble_argocd_apply_bootstrap_root_application`** are true in **`ansible/group_vars/all.yml`**.
 
    ```bash
    kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml
+   kubectl apply -f clusters/noble/bootstrap/argocd/bootstrap-root-application.yaml
    ```
 
-If you migrated from GitOps-managed **`noble-platform`** / **`noble-kyverno`**, delete stale **`Application`** objects on
-the cluster (see **`clusters/noble/apps/README.md`**) then re-apply the root.
+If you migrated from older GitOps **`Application`** names, delete stale **`Application`** objects on the cluster (see **`clusters/noble/apps/README.md`**) then re-apply the roots.
+
+## 5. After Ansible: enable automated sync for **noble-bootstrap-root**
+
+Do this only after **`ansible-playbook playbooks/noble.yml`** has finished successfully (including **`noble_platform`** `kubectl apply -k` and any Helm stages you rely on). Until then, leave **manual** sync so Argo does not fight the playbook.
+
+**Required steps**
+
+1. Confirm the cluster matches git for kustomize output (optional): `kubectl kustomize clusters/noble/bootstrap | kubectl diff -f -` or inspect resources in the UI.
+2. Register the git repo in Argo if you have not already (**§3**).
+3. **Refresh** the app so Argo compares **`clusters/noble/bootstrap`** to the cluster: Argo UI → **noble-bootstrap-root** → **Refresh**, or:
+
+   ```bash
+   argocd app get noble-bootstrap-root --refresh
+   ```
+
+4. **Enable automated sync** (prune + self-heal), preserving **`CreateNamespace`**, using any one of:
+
+   **kubectl**
+
+   ```bash
+   kubectl patch application noble-bootstrap-root -n argocd --type merge -p '{"spec":{"syncPolicy":{"automated":{"prune":true,"selfHeal":true},"syncOptions":["CreateNamespace=true"]}}}'
+   ```
+
+   **argocd** CLI (logged in)
+
+   ```bash
+   argocd app set noble-bootstrap-root --sync-policy automated --auto-prune --self-heal
+   ```
+
+   **UI:** open **noble-bootstrap-root** → **App Details** → enable **AUTO-SYNC** (and **Prune** / **Self Heal** if shown).
+
+5. Trigger a sync if the app does not go green immediately: **Sync** in the UI, or `argocd app sync noble-bootstrap-root`.
+
+After this, **git** is the source of truth for everything under **`clusters/noble/bootstrap/kustomization.yaml`** (including **`argocd/app-of-apps/`**). Helm-managed platform components remain whatever Ansible last installed until you model them as Argo **`Application`**s under **`app-of-apps/`** and stop installing them from Ansible.
 
 ## Versions
 

clusters/noble/bootstrap/argocd/app-of-apps/kustomization.yaml

@@ -0,0 +1,6 @@
+# Sub-kustomization included by **clusters/noble/bootstrap/kustomization.yaml**. Leaf **Application** /
+# **AppProject** resources (Helm apps you migrate off raw **helm upgrade** in Ansible). Synced with the
+# rest of **clusters/noble/bootstrap** via **noble-bootstrap-root** once automated sync is enabled.
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: []

clusters/noble/bootstrap/argocd/bootstrap-root-application.yaml

@@ -0,0 +1,29 @@
+# **noble-bootstrap-root** — Kustomize app-of-apps for **clusters/noble/bootstrap** (same tree as
+# **ansible/playbooks/noble.yml** → **noble_platform** `kubectl apply -k`).
+#
+# **Initial deploy:** Ansible is the only writer; **automated sync is off** so Argo does not reconcile
+# during **noble.yml**. **After** the playbook finishes, enable automated sync (see **README.md** §5)
+# so git becomes the source of truth for this kustomize output.
+#
+# Edit **spec.source.repoURL** / **targetRevision** for your remote.
+#
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: noble-bootstrap-root
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io/background
+spec:
+  project: default
+  source:
+    repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git
+    targetRevision: HEAD
+    path: clusters/noble/bootstrap
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  # Manual sync until you enable automation after Ansible (see README.md §5).
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true

clusters/noble/bootstrap/argocd/root-application.yaml

@@ -3,8 +3,10 @@
 # 1. Set spec.source.repoURL (and targetRevision — **HEAD** tracks the remote default branch) to this repo.
 # 2. kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml
 #
-# **clusters/noble/apps** holds optional **Application** manifests. Core platform is installed by
-# **ansible/playbooks/noble.yml** from **clusters/noble/bootstrap/**.
+# **clusters/noble/apps** holds optional **Application** manifests. Core platform Helm + kustomize is
+# installed by **ansible/playbooks/noble.yml** from **clusters/noble/bootstrap/**. **bootstrap-root-application.yaml**
+# registers **noble-bootstrap-root** for the same kustomize tree (**manual** sync until you enable
+# automation after the playbook — see **README.md** §5).
 #
 apiVersion: argoproj.io/v1alpha1
 kind: Application

clusters/noble/bootstrap/kustomization.yaml

@@ -1,6 +1,8 @@
 # Ansible bootstrap: plain Kustomize (namespaces + extra YAML). Helm installs are driven by
 # **ansible/playbooks/noble.yml** (role **noble_platform**) — avoids **kustomize --enable-helm** in-repo.
-# Optional GitOps workloads live under **../apps/** (Argo **noble-root**).
+# Optional GitOps: **../apps/** (Argo **noble-root**); leaf **Application**s under **argocd/app-of-apps/**.
+# **noble-bootstrap-root** (Argo) uses this same path — enable automated sync only after **noble.yml**
+# completes (see **argocd/README.md** §5).
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
@@ -14,3 +16,4 @@ resources:
   - velero/longhorn-volumesnapshotclass.yaml
   - headlamp/namespace.yaml
   - grafana-loki-datasource/loki-datasource.yaml
+  - argocd/app-of-apps