From fc70c68c26c3133d80a27a770349da51185deb65 Mon Sep 17 00:00:00 2001
From: Nikholas Pcenicni <82239765+nikpcenicni@users.noreply.github.com>
Date: Wed, 13 May 2026 17:11:11 -0400
Subject: [PATCH] Add tasks to manage kyverno-admission-controller FlowSchema
 for Argo CD compatibility, addressing server-side applied conflicts and
 ensuring proper Helm SSA conflict recovery.

---
 ansible/roles/noble_kyverno/defaults/main.yml |  6 ++++
 ansible/roles/noble_kyverno/tasks/main.yml    | 35 +++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 ansible/roles/noble_kyverno/defaults/main.yml

diff --git a/ansible/roles/noble_kyverno/defaults/main.yml b/ansible/roles/noble_kyverno/defaults/main.yml
new file mode 100644
index 0000000..33ddb5d
--- /dev/null
+++ b/ansible/roles/noble_kyverno/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+# When true, delete **FlowSchema/kyverno-admission-controller** if **managedFields** show **argocd-controller**
+# (Helm SSA conflict after Argo synced Kyverno before Ansible).
+noble_kyverno_repair_argo_ssa_on_flowschema: true
+# When true, delete that FlowSchema whenever it exists (before Helm). One-shot escape hatch.
+noble_kyverno_delete_kyverno_admission_flowschema_if_present: false
diff --git a/ansible/roles/noble_kyverno/tasks/main.yml b/ansible/roles/noble_kyverno/tasks/main.yml
index 53799dc..d985ab1 100644
--- a/ansible/roles/noble_kyverno/tasks/main.yml
+++ b/ansible/roles/noble_kyverno/tasks/main.yml
@@ -1,4 +1,39 @@
 ---
+# Argo may have server-side-applied cluster FlowSchemas; Helm then fails with "conflict with argocd-controller".
+- name: Read kyverno-admission-controller FlowSchema (if any) for SSA repair
+  ansible.builtin.command:
+    argv:
+      - kubectl
+      - get
+      - flowschemas.flowcontrol.apiserver.k8s.io
+      - kyverno-admission-controller
+      - --show-managed-fields=true
+      - -o
+      - json
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  register: noble_kyverno_flowschema_json
+  failed_when: false
+  changed_when: false
+  when: noble_kyverno_repair_argo_ssa_on_flowschema | default(true) | bool
+
+- name: Remove kyverno-admission-controller FlowSchema when Argo is a field manager (Helm SSA conflict recovery)
+  ansible.builtin.command:
+    argv:
+      - kubectl
+      - delete
+      - flowschemas.flowcontrol.apiserver.k8s.io
+      - kyverno-admission-controller
+      - --wait=false
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  when:
+    - noble_kyverno_repair_argo_ssa_on_flowschema | default(true) | bool
+    - not (noble_kyverno_flowschema_json.skipped | default(false))
+    - noble_kyverno_flowschema_json.rc | default(-1) | int == 0
+    - (noble_kyverno_delete_kyverno_admission_flowschema_if_present | default(false) | bool) or ("argocd-controller" in (noble_kyverno_flowschema_json.stdout | default("")))
+  changed_when: true
+
 - name: Create Kyverno namespace
   ansible.builtin.command:
     argv: