fix: trivy node-collector toleration + argo-rollouts CRD sync

- Add control-plane toleration to trivy nodeCollector so it can
  schedule on k8s-master (was stuck Pending indefinitely)
- Add ignoreDifferences for CRDs + ServerSideApply to argo-rollouts
  to resolve perpetual OutOfSync caused by Helm CRD management gap

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

argocd-apps/argo-rollouts.yaml

@@ -27,9 +27,18 @@ spec:
   destination:
     server: https://kubernetes.default.svc
     namespace: argo-rollouts
+  ignoreDifferences:
+    - group: apiextensions.k8s.io
+      kind: CustomResourceDefinition
+      jsonPointers:
+        - /spec
+        - /metadata/annotations
+        - /metadata/labels
   syncPolicy:
     automated:
       prune: true
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
+      - ServerSideApply=true
+      - RespectIgnoreDifferences=true

argocd-apps/trivy-operator.yaml

@@ -30,6 +30,11 @@ spec:
           limits:
             cpu: 200m
             memory: 512Mi
+        nodeCollector:
+          tolerations:
+            - key: node-role.kubernetes.io/control-plane
+              operator: Exists
+              effect: NoSchedule
         scanJob:
           resources:
             requests: