# Argo CD — noble (bootstrap) **Prerequisites:** cluster **Ready**, **Traefik** + **cert-manager**; DNS **`argo.apps.noble.lab.pcenicni.dev`** → Traefik **`192.168.50.211`** (see **`values.yaml`**). ## 1. Install ```bash helm repo add argo https://argoproj.github.io/argo-helm helm repo update helm upgrade --install argocd argo/argo-cd \ --namespace argocd \ --create-namespace \ --version 9.4.17 \ -f clusters/noble/bootstrap/argocd/values.yaml \ --wait ``` **RBAC:** `values.yaml` sets **`policy.default: role:readonly`** and **`g, admin, role:admin`** so the local **`admin`** user keeps full access while future OIDC users default to read-only until you add **`policy.csv`** mappings. ## 2. UI / CLI address **HTTPS:** `https://argo.apps.noble.lab.pcenicni.dev` (Ingress via Traefik; cert from **`values.yaml`**). ```bash kubectl get ingress -n argocd ``` Log in as **`admin`**; initial password: ```bash kubectl -n argocd get secret argocd-initial-admin-secret \ -o jsonpath='{.data.password}' | base64 -d echo ``` Change the password in the UI or via `argocd account update-password`. ### TLS: changing ClusterIssuer (e.g. staging → prod) If **`helm upgrade --wait`** fails with *Secret was previously issued by `letsencrypt-staging`* (or another issuer), cert-manager will not replace the TLS Secret in place. Remove the old cert material once, then upgrade again: ```bash kubectl -n argocd delete certificate argocd-server --ignore-not-found kubectl -n argocd delete secret argocd-server-tls --ignore-not-found helm upgrade --install argocd argo/argo-cd -n argocd --create-namespace \ --version 9.4.17 -f clusters/noble/bootstrap/argocd/values.yaml --wait ``` ## 3. Register this repo (if private) Use **Settings → Repositories** in the UI, or `argocd repo add` / a `Secret` of type `repository`. ## 4. App-of-apps (GitOps) **Ansible** (`ansible/playbooks/noble.yml`) performs the **initial** install: Helm releases and **`kubectl apply -k clusters/noble/bootstrap`**. **Argo** then tracks the same git paths for ongoing reconciliation. 1. Edit **`root-application.yaml`** and **`bootstrap-root-application.yaml`**: set **`repoURL`** and **`targetRevision`**. The **`resources-finalizer.argocd.argoproj.io/background`** finalizer uses Argo’s path-qualified form so **`kubectl apply`** does not warn about finalizer names. 2. Optional add-on apps: add **`Application`** manifests under **`clusters/noble/apps/`** (see **`clusters/noble/apps/README.md`**). 3. **Bootstrap kustomize** (namespaces, datasource, leaf **`Application`**s under **`argocd/app-of-apps/`**, etc.): **`noble-bootstrap-root`** syncs **`clusters/noble/bootstrap`**. It is created with **manual** sync only so Argo does not apply changes while **`noble.yml`** is still running. Current leaf apps include: **cilium**, **metrics-server**, **longhorn**, **metallb**, **traefik**, **cert-manager**, **kube-vip**, **csi-snapshot-crds**, **csi-snapshot-controller**, **kyverno**, **kyverno-policies**, **kube-prometheus**, **loki**, **fluent-bit**, **headlamp**. Optional components with extra runtime credentials (for example **newt** and **velero**) are still Ansible-driven by default. **`ansible/playbooks/noble.yml`** (role **`noble_argocd`**) applies both roots when **`noble_argocd_apply_root_application`** / **`noble_argocd_apply_bootstrap_root_application`** are true in **`ansible/group_vars/all.yml`**. ```bash kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml kubectl apply -f clusters/noble/bootstrap/argocd/bootstrap-root-application.yaml ``` If you migrated from older GitOps **`Application`** names, delete stale **`Application`** objects on the cluster (see **`clusters/noble/apps/README.md`**) then re-apply the roots. ## 5. After Ansible: enable automated sync for **noble-bootstrap-root** Do this only after **`ansible-playbook playbooks/noble.yml`** has finished successfully (including **`noble_platform`** `kubectl apply -k` and any Helm stages you rely on). Until then, leave **manual** sync so Argo does not fight the playbook. **Required steps** 1. Confirm the cluster matches git for kustomize output (optional): `kubectl kustomize clusters/noble/bootstrap | kubectl diff -f -` or inspect resources in the UI. 2. Register the git repo in Argo if you have not already (**§3**). 3. **Refresh** the app so Argo compares **`clusters/noble/bootstrap`** to the cluster: Argo UI → **noble-bootstrap-root** → **Refresh**, or: ```bash argocd app get noble-bootstrap-root --refresh ``` 4. **Enable automated sync** (prune + self-heal), preserving **`CreateNamespace`**, using any one of: **kubectl** ```bash kubectl patch application noble-bootstrap-root -n argocd --type merge -p '{"spec":{"syncPolicy":{"automated":{"prune":true,"selfHeal":true},"syncOptions":["CreateNamespace=true"]}}}' ``` **argocd** CLI (logged in) ```bash argocd app set noble-bootstrap-root --sync-policy automated --auto-prune --self-heal ``` **UI:** open **noble-bootstrap-root** → **App Details** → enable **AUTO-SYNC** (and **Prune** / **Self Heal** if shown). 5. Trigger a sync if the app does not go green immediately: **Sync** in the UI, or `argocd app sync noble-bootstrap-root`. After this, **git** is the source of truth for everything under **`clusters/noble/bootstrap/kustomization.yaml`** (including **`argocd/app-of-apps/`**). Helm-managed platform components remain whatever Ansible last installed until you model them as Argo **`Application`**s under **`app-of-apps/`** and stop installing them from Ansible. ## Versions Pinned in **`values.yaml`** comments (chart **9.4.17** / Argo CD **v3.3.6** at time of writing). Bump **`--version`** when upgrading.