ci: fix runmelast hanging, add proxy CA injection, clean SA/CRD leftovers on redeploy

pipelines/runmelast.sh

@@ -3,8 +3,7 @@ set -euo pipefail
 
 # runmelast.sh — Pipeline infrastructure teardown
 # Removes: Kargo → ArgoCD → Woodpecker (reverse install order)
-# Preserves: NFS PVs, NFS data, git-server namespace (Gitea + registry),
-#            stonks-oracle namespace, stonks-beta, stonks-paper
+# Preserves: namespaces, PVCs, TLS certs, NFS PVs, git-server, application namespaces
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 cd "$SCRIPT_DIR"
@@ -12,11 +11,11 @@ cd "$SCRIPT_DIR"
 echo "=== Pipeline Infrastructure Teardown ==="
 echo ""
 echo "This will remove Kargo, ArgoCD, and Woodpecker CI."
-echo "Preserved: NFS PVs, NFS data, git-server (Gitea + registry), application namespaces."
+echo "Preserved: namespaces, PVCs, TLS certs, NFS PVs, git-server, application namespaces."
 echo ""
 
 # -------------------------------------------------------
-# 1. Remove Kargo resources + Helm release
+# 1. Remove Kargo resources + Helm release + CRDs
 # -------------------------------------------------------
 echo "--- Step 1: Removing Kargo ---"
 kubectl delete -f kargo/stages/live.yaml --ignore-not-found || true
@@ -27,11 +26,15 @@ kubectl delete -f kargo/warehouse.yaml --ignore-not-found || true
 kubectl delete -f kargo/project-config.yaml --ignore-not-found || true
 kubectl delete -f kargo/project.yaml --ignore-not-found || true
 helm uninstall kargo --namespace kargo || true
+kubectl delete crd freights.kargo.akuity.io projects.kargo.akuity.io stages.kargo.akuity.io \
+  warehouses.kargo.akuity.io promotions.kargo.akuity.io promotiontasks.kargo.akuity.io \
+  clusterpromotiontasks.kargo.akuity.io projectconfigs.kargo.akuity.io \
+  clusterconfigs.kargo.akuity.io --ignore-not-found > /dev/null 2>&1 || true
 echo "  ✓ Kargo removed"
 echo ""
 
 # -------------------------------------------------------
-# 2. Remove ArgoCD resources + Helm release
+# 2. Remove ArgoCD resources + Helm release + CRDs
 # -------------------------------------------------------
 echo "--- Step 2: Removing ArgoCD ---"
 kubectl delete -f argocd/apps/stonks-live.yaml --ignore-not-found || true
@@ -39,6 +42,8 @@ kubectl delete -f argocd/apps/stonks-paper.yaml --ignore-not-found || true
 kubectl delete -f argocd/apps/stonks-beta.yaml --ignore-not-found || true
 kubectl delete -f argocd/repo-secret.yaml --ignore-not-found || true
 helm uninstall argocd --namespace argocd || true
+kubectl delete crd applications.argoproj.io applicationsets.argoproj.io appprojects.argoproj.io \
+  --ignore-not-found > /dev/null 2>&1 || true
 echo "  ✓ ArgoCD removed"
 echo ""
 
@@ -51,27 +56,17 @@ helm uninstall woodpecker --namespace woodpecker || true
 echo "  ✓ Woodpecker CI removed"
 echo ""
 
-# -------------------------------------------------------
-# 4. Delete namespaces (pipeline infra only)
-# -------------------------------------------------------
-echo "--- Step 4: Deleting pipeline namespaces ---"
-for ns in woodpecker argocd kargo; do
-  kubectl delete namespace "$ns" --ignore-not-found || true
-  echo "  ✓ namespace/$ns deleted"
-done
-echo ""
-
-# NOTE: The following are intentionally NOT deleted:
-# - NFS PersistentVolumes (pipeline-argocd-pv, pipeline-kargo-pv, pipeline-woodpecker-pv)
-# - NFS data at nfs://192.168.42.8:/volume1/Kubernetes/pipelines/
-# - git-server namespace (Gitea + local registry)
-# - stonks-oracle namespace (production workloads)
-# - stonks-beta namespace (beta workloads)
-# - stonks-paper namespace (paper trading workloads)
+# NOTE: Namespaces are intentionally NOT deleted.
+# PVCs, TLS certs, and proxy-ca-cert ConfigMaps survive for fast redeploy.
+# runmefirst.sh uses idempotent creates (--dry-run=client | kubectl apply).
 
 echo "=== Pipeline Infrastructure Teardown Complete ==="
 echo ""
 echo "Preserved:"
-echo "  - NFS PVs and data (survives cluster rebuild)"
+echo "  - Namespaces (woodpecker, argocd, kargo)"
+echo "  - PVCs (Woodpecker DB, agent configs)"
+echo "  - TLS certificates (Let's Encrypt rate limited)"
+echo "  - NFS PVs and data"
+echo "  - proxy-ca-cert ConfigMaps"
 echo "  - git-server namespace (Gitea + registry)"
 echo "  - Application namespaces (stonks-oracle, stonks-beta, stonks-paper)"