# Argo CD — noble (bootstrap)

**Prerequisites:** cluster **Ready**, **Traefik** + **cert-manager**; DNS **`argo.apps.noble.lab.pcenicni.dev`** → Traefik **`192.168.50.211`** (see **`values.yaml`**).

## 1. Install

```bash
helm repo add argo https://argoproj.github.io/argo-helm
helm repo update
helm upgrade --install argocd argo/argo-cd \
  --namespace argocd \
  --create-namespace \
  --version 9.4.17 \
  -f clusters/noble/bootstrap/argocd/values.yaml \
  --wait
```

**RBAC:** `values.yaml` sets **`policy.default: role:readonly`** and **`g, admin, role:admin`** so the local **`admin`** user keeps full access while future OIDC users default to read-only until you add **`policy.csv`** mappings.

## 2. UI / CLI address

**HTTPS:** `https://argo.apps.noble.lab.pcenicni.dev` (Ingress via Traefik; cert from **`values.yaml`**).

```bash
kubectl get ingress -n argocd
```

Log in as **`admin`**; initial password:

```bash
kubectl -n argocd get secret argocd-initial-admin-secret \
  -o jsonpath='{.data.password}' | base64 -d
echo
```

Change the password in the UI or via `argocd account update-password`.

## 3. Register this repo (if private)

Use **Settings → Repositories** in the UI, or `argocd repo add` / a `Secret` of type `repository`.

## 4. App-of-apps (optional)

1. Edit **`root-application.yaml`**: set **`repoURL`** and **`targetRevision`** to this repository. The **`resources-finalizer.argocd.argoproj.io/background`** finalizer uses Argo’s path-qualified form so **`kubectl apply`** does not warn about finalizer names.
2. Commit **`Application`** manifests under **`apps/`** (see **`apps/README.md`**).
3. Apply the root:

   ```bash
   kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml
   ```

**`apps/noble-platform.yaml`** lists Helm charts and a Git **`path`** for **`clusters/noble/apps`** (see **`kustomization.yaml`** there).

## Versions

Pinned in **`values.yaml`** comments (chart **9.4.17** / Argo CD **v3.3.6** at time of writing). Bump **`--version`** when upgrading.