gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add tasks to manage kyverno-admission-controller FlowSchema for Argo CD compatibility, addressing server-side applied conflicts and ensuring proper Helm SSA conflict recovery.

Browse Source
This commit is contained in:
Nikholas Pcenicni
2026-05-13 17:11:11 -04:00
parent d206a590ab
commit fc70c68c26
2 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ansible/roles/noble_kyverno/defaults/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
# When true, delete **FlowSchema/kyverno-admission-controller** if **managedFields** show **argocd-controller**
# (Helm SSA conflict after Argo synced Kyverno before Ansible).
noble_kyverno_repair_argo_ssa_on_flowschema: true
# When true, delete that FlowSchema whenever it exists (before Helm). One-shot escape hatch.
noble_kyverno_delete_kyverno_admission_flowschema_if_present: false

35
ansible/roles/noble_kyverno/tasks/main.yml
View File

@@ -1,4 +1,39 @@
---
# Argo may have server-side-applied cluster FlowSchemas; Helm then fails with "conflict with argocd-controller".
- name: Read kyverno-admission-controller FlowSchema (if any) for SSA repair
ansible.builtin.command:
argv:
- kubectl
- get
- flowschemas.flowcontrol.apiserver.k8s.io
- kyverno-admission-controller
- --show-managed-fields=true
- -o
- json
environment:
KUBECONFIG: "{{ noble_kubeconfig }}"
register: noble_kyverno_flowschema_json
failed_when: false
changed_when: false
when: noble_kyverno_repair_argo_ssa_on_flowschema | default(true) | bool
- name: Remove kyverno-admission-controller FlowSchema when Argo is a field manager (Helm SSA conflict recovery)
ansible.builtin.command:
argv:
- kubectl
- delete
- flowschemas.flowcontrol.apiserver.k8s.io
- kyverno-admission-controller
- --wait=false
environment:
KUBECONFIG: "{{ noble_kubeconfig }}"
when:
- noble_kyverno_repair_argo_ssa_on_flowschema | default(true) | bool
- not (noble_kyverno_flowschema_json.skipped | default(false))
- noble_kyverno_flowschema_json.rc | default(-1) | int == 0
- (noble_kyverno_delete_kyverno_admission_flowschema_if_present | default(false) | bool) or ("argocd-controller" in (noble_kyverno_flowschema_json.stdout | default("")))
changed_when: true
- name: Create Kyverno namespace
ansible.builtin.command:
argv: