gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
10fdaf873cf3a74a654c017ce1eae94759836e43
home-server/clusters/noble/bootstrap/argocd
History
Nikholas Pcenicni 10fdaf873c Update .gitignore to include .tmp files, remove Trivy namespace from kustomization.yaml, and add Trivy dashboard application to app-of-apps kustomization. Delete obsolete Trivy namespace and values files to streamline deployment configuration.
2026-05-14 17:10:00 -04:00
..
app-of-apps
Update .gitignore to include .tmp files, remove Trivy namespace from kustomization.yaml, and add Trivy dashboard application to app-of-apps kustomization. Delete obsolete Trivy namespace and values files to streamline deployment configuration.
2026-05-14 17:10:00 -04:00
bootstrap-root-application.yaml
Refactor noble.yml playbook to apply Argo CD Application manifests after all Helm roles, ensuring proper resource ownership and avoiding SSA conflicts. Update related documentation to reflect the new execution order and clarify the role of Argo CD in the deployment process.
2026-05-14 16:46:45 -04:00
README.md
Update documentation and playbook to clarify Trivy Operator installation via Argo CD, removing direct Ansible role references. Adjust README and related files to reflect the new deployment order and ensure proper resource ownership, enhancing overall clarity for users.
2026-05-14 17:04:25 -04:00
root-application.yaml
Refactor Argo CD application deployment by removing obsolete tasks and updating README for clarity. Introduce new task inclusion for Argo CD applications post-platform Helm installation, ensuring proper application order and synchronization.
2026-05-13 16:57:51 -04:00
values-authentik-oidc.yaml
Add Authentik and oauth2-proxy support to noble cluster setup, including environment variables, playbook tags, and landing URLs. Update README and kustomization.yaml to reflect new OIDC integration, enhancing security and user authentication capabilities.
2026-05-14 00:23:48 -04:00
values.yaml
Update .gitignore to include generated noble-lab-ui-urls.md and enhance README.md with new role documentation. Refactor noble.yml to incorporate noble_landing_urls role for improved URL management. Add ingress configurations for alertmanager, prometheus, longhorn, and vault to support TLS termination via Traefik. Update network policies and values.yaml for vault to allow traffic from Traefik. These changes aim to streamline deployment and enhance service accessibility.
2026-03-28 16:32:21 -04:00

README.md

Argo CD — noble (bootstrap)

Prerequisites: cluster Ready, Traefik + cert-manager; DNS argo.apps.noble.lab.pcenicni.dev → Traefik 192.168.50.211 (see values.yaml).

1. Install

helm repo add argo https://argoproj.github.io/argo-helm
helm repo update
helm upgrade --install argocd argo/argo-cd \
  --namespace argocd \
  --create-namespace \
  --version 9.4.17 \
  -f clusters/noble/bootstrap/argocd/values.yaml \
  --wait

RBAC: values.yaml sets policy.default: role:readonly and g, admin, role:admin so the local admin user keeps full access while future OIDC users default to read-only until you add policy.csv mappings.

2. UI / CLI address

HTTPS: https://argo.apps.noble.lab.pcenicni.dev (Ingress via Traefik; cert from values.yaml).

kubectl get ingress -n argocd

Log in as admin; initial password:

kubectl -n argocd get secret argocd-initial-admin-secret \
  -o jsonpath='{.data.password}' | base64 -d
echo

Change the password in the UI or via argocd account update-password.

TLS: changing ClusterIssuer (e.g. staging → prod)

If helm upgrade --wait fails with Secret was previously issued by letsencrypt-staging (or another issuer), cert-manager will not replace the TLS Secret in place. Remove the old cert material once, then upgrade again:

kubectl -n argocd delete certificate argocd-server --ignore-not-found
kubectl -n argocd delete secret argocd-server-tls --ignore-not-found
helm upgrade --install argocd argo/argo-cd -n argocd --create-namespace \
  --version 9.4.17 -f clusters/noble/bootstrap/argocd/values.yaml --wait

3. Register this repo (if private)

Use Settings → Repositories in the UI, or argocd repo add / a Secret of type repository.

4. App-of-apps (GitOps)

Ansible (ansible/playbooks/noble.yml) runs kubectl apply -k clusters/noble/bootstrap from noble_platform, then Helm for the platform stack, then noble_authentik, noble_velero, and only then (play tasks:) noble_argocd applications_post_platform.yml applies root-application.yaml, bootstrap-root-application.yaml, and kubectl apply -k clusters/noble/bootstrap/argocd/app-of-apps. Trivy Operator is not installed by Ansible; sync the noble-trivy-operator leaf app (or enable automation) after noble.yml. That order keeps Ansible Helm first and lets Argo take ownership when you sync or enable automation (no premature SSA vs Helm).

  1. Edit root-application.yaml and bootstrap-root-application.yaml: set repoURL and targetRevision. The resources-finalizer.argocd.argoproj.io/background finalizer uses Argos path-qualified form so kubectl apply does not warn about finalizer names.

  2. Optional add-on apps: add Application manifests under clusters/noble/apps/ (see clusters/noble/apps/README.md).

  3. Bootstrap kustomize (namespaces, datasource, etc.): noble-bootstrap-root syncs clusters/noble/bootstrap (no argocd/app-of-apps/ in that kustomization). Leaf Application manifests live under argocd/app-of-apps/; Ansible applies that directory after all noble_* Helm roles in noble.yml (see §4) so Argo does not SSA charts before Helm. The root app uses manual sync; each leaf app is manual until you enable automation (see §5).

    ansible/playbooks/noble.yml: roles noble_argocd (Argo Helm only), noble_platform, noble_authentik, noble_velero, then play tasks run applications_post_platform when noble_argocd_apply_* flags are set in ansible/inventory/group_vars/all.yml. Trivy is deployed only via Argo (noble-trivy-operator).

    kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml
kubectl apply -f clusters/noble/bootstrap/argocd/bootstrap-root-application.yaml

If you migrated from older GitOps Application names, delete stale Application objects on the cluster (see clusters/noble/apps/README.md) then re-apply the roots.

Trivy (noble-trivy-operator): If an older install left an orphan ServiceMonitor named trivy-operator in monitoring (missing meta.helm.sh/release-* annotations), Helm/Argo will refuse to adopt it. Delete once, then sync noble-trivy-operator:

kubectl delete servicemonitor trivy-operator -n monitoring --ignore-not-found

5. After Ansible: enable automated sync for noble-bootstrap-root

Do this only after ansible-playbook playbooks/noble.yml has finished successfully (including noble_platform / noble_authentik Helm, noble_velero if enabled, and the final applications_post_platform kubectl apply of leaf Application CRs). Until then, leave manual sync so Argo does not fight the playbook.

Required steps

  1. Confirm the cluster matches git for kustomize output (optional): kubectl kustomize clusters/noble/bootstrap | kubectl diff -f - or inspect resources in the UI.

  2. Register the git repo in Argo if you have not already (§3).

  3. Refresh the app so Argo compares clusters/noble/bootstrap to the cluster: Argo UI → noble-bootstrap-rootRefresh, or:

    argocd app get noble-bootstrap-root --refresh

  4. Enable automated sync (prune + self-heal), preserving CreateNamespace, using any one of:

    kubectl

    kubectl patch application noble-bootstrap-root -n argocd --type merge -p '{"spec":{"syncPolicy":{"automated":{"prune":true,"selfHeal":true},"syncOptions":["CreateNamespace=true"]}}}'

    argocd CLI (logged in)

    argocd app set noble-bootstrap-root --sync-policy automated --auto-prune --self-heal

    UI: open noble-bootstrap-rootApp Details → enable AUTO-SYNC (and Prune / Self Heal if shown).

  5. Trigger a sync if the app does not go green immediately: Sync in the UI, or argocd app sync noble-bootstrap-root.

  6. Leaf apps (noble-cilium, noble-kube-prometheus, … under app-of-apps/) stay manual until you turn on AUTO-SYNC (or sync once) per app after Ansible has finished. Until then they only register intent in Argo; Ansible still performs the Helm installs in noble_* roles for those charts (Trivy Operator is an exception — install/sync only via noble-trivy-operator). When you are ready for Argo to own a chart, enable sync for that leaf app and remove the corresponding helm upgrade task from Ansible so only one controller manages the release.

If helm upgrade failed with conflict with argocd-controller, a leaf app had already reconciled: apply the updated manifests (manual leaf sync), delete the conflicting Application with --cascade=false if needed, then re-run the playbook — or finish migration to Argo-only for that chart.

After noble-bootstrap-root is automated and leaf apps are synced, git is the source of truth for clusters/noble/bootstrap/kustomization.yaml and the leaf Application specs.

Versions

Pinned in values.yaml comments (chart 9.4.17 / Argo CD v3.3.6 at time of writing). Bump --version when upgrading.

Reference in New Issue View Git Blame Copy Permalink