---
# Run from **ansible/playbooks/noble.yml** *after* roles **noble_platform**, **noble_authentik**, **noble_trivy**,
# **noble_velero** (see play **tasks:**). Leaf **Application** CRs must not be reconciled before Ansible Helm
# finishes, or **argocd-controller** can SSA resources without Helm release metadata (e.g. Trivy ServiceAccount).
- name: Apply Argo CD root Application (app-of-apps)
  ansible.builtin.command:
    argv:
      - kubectl
      - apply
      - -f
      - "{{ noble_repo_root }}/clusters/noble/bootstrap/argocd/root-application.yaml"
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  when: noble_argocd_apply_root_application | default(false) | bool
  changed_when: true

- name: Apply Argo CD bootstrap root Application
  ansible.builtin.command:
    argv:
      - kubectl
      - apply
      - -f
      - "{{ noble_repo_root }}/clusters/noble/bootstrap/argocd/bootstrap-root-application.yaml"
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  when: noble_argocd_apply_bootstrap_root_application | default(false) | bool
  changed_when: true

- name: Apply Argo CD leaf Application definitions (argocd/app-of-apps — post-Helm)
  ansible.builtin.command:
    argv:
      - kubectl
      - apply
      - -k
      - "{{ noble_repo_root }}/clusters/noble/bootstrap/argocd/app-of-apps"
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  when: noble_argocd_apply_bootstrap_root_application | default(false) | bool
  changed_when: true