Update .gitignore to include generated noble-lab-ui-urls.md and enhance README.md with new role documentation. Refactor noble.yml to incorporate noble_landing_urls role for improved URL management. Add ingress configurations for alertmanager, prometheus, longhorn, and vault to support TLS termination via Traefik. Update network policies and values.yaml for vault to allow traffic from Traefik. These changes aim to streamline deployment and enhance service accessibility.

ansible/roles/noble_landing_urls/defaults/main.yml

@@ -0,0 +1,43 @@
+---
+# Regenerated when **noble_landing_urls** runs (after platform stack). Paths match Traefik + cert-manager Ingresses.
+noble_landing_urls_dest: "{{ noble_repo_root }}/ansible/output/noble-lab-ui-urls.md"
+
+# When true, run kubectl against the cluster to fill Argo CD / Grafana passwords in the markdown (requires working kubeconfig).
+noble_landing_urls_fetch_credentials: true
+
+noble_lab_ui_entries:
+  - name: Argo CD
+    description: GitOps UI (sync, apps, repos)
+    namespace: argocd
+    service: argocd-server
+    url: https://argo.apps.noble.lab.pcenicni.dev
+  - name: Grafana
+    description: Dashboards, Loki explore (logs)
+    namespace: monitoring
+    service: kube-prometheus-grafana
+    url: https://grafana.apps.noble.lab.pcenicni.dev
+  - name: Prometheus
+    description: Prometheus UI (queries, targets) — lab; protect in production
+    namespace: monitoring
+    service: kube-prometheus-kube-prome-prometheus
+    url: https://prometheus.apps.noble.lab.pcenicni.dev
+  - name: Alertmanager
+    description: Alertmanager UI (silences, status)
+    namespace: monitoring
+    service: kube-prometheus-kube-prome-alertmanager
+    url: https://alertmanager.apps.noble.lab.pcenicni.dev
+  - name: Headlamp
+    description: Kubernetes UI (cluster resources)
+    namespace: headlamp
+    service: headlamp
+    url: https://headlamp.apps.noble.lab.pcenicni.dev
+  - name: Longhorn
+    description: Storage volumes, nodes, backups
+    namespace: longhorn-system
+    service: longhorn-frontend
+    url: https://longhorn.apps.noble.lab.pcenicni.dev
+  - name: Vault
+    description: Secrets engine UI (after init/unseal)
+    namespace: vault
+    service: vault
+    url: https://vault.apps.noble.lab.pcenicni.dev

ansible/roles/noble_landing_urls/tasks/fetch_credentials.yml

@@ -0,0 +1,55 @@
+---
+# Populates template variables from Secrets (no_log on kubectl to avoid leaking into Ansible stdout).
+- name: Fetch Argo CD initial admin password (base64)
+  ansible.builtin.command:
+    argv:
+      - kubectl
+      - -n
+      - argocd
+      - get
+      - secret
+      - argocd-initial-admin-secret
+      - -o
+      - jsonpath={.data.password}
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  register: noble_fetch_argocd_pw_b64
+  failed_when: false
+  changed_when: false
+  no_log: true
+
+- name: Fetch Grafana admin user (base64)
+  ansible.builtin.command:
+    argv:
+      - kubectl
+      - -n
+      - monitoring
+      - get
+      - secret
+      - kube-prometheus-grafana
+      - -o
+      - jsonpath={.data.admin-user}
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  register: noble_fetch_grafana_user_b64
+  failed_when: false
+  changed_when: false
+  no_log: true
+
+- name: Fetch Grafana admin password (base64)
+  ansible.builtin.command:
+    argv:
+      - kubectl
+      - -n
+      - monitoring
+      - get
+      - secret
+      - kube-prometheus-grafana
+      - -o
+      - jsonpath={.data.admin-password}
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  register: noble_fetch_grafana_pw_b64
+  failed_when: false
+  changed_when: false
+  no_log: true

ansible/roles/noble_landing_urls/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+- name: Ensure output directory for generated landing page
+  ansible.builtin.file:
+    path: "{{ noble_repo_root }}/ansible/output"
+    state: directory
+    mode: "0755"
+
+- name: Fetch initial credentials from cluster Secrets (optional)
+  ansible.builtin.include_tasks: fetch_credentials.yml
+  when: noble_landing_urls_fetch_credentials | default(true) | bool
+
+- name: Write noble lab UI URLs (markdown landing page)
+  ansible.builtin.template:
+    src: noble-lab-ui-urls.md.j2
+    dest: "{{ noble_landing_urls_dest }}"
+    mode: "0644"
+
+- name: Show landing page path
+  ansible.builtin.debug:
+    msg: "Noble lab UI list written to {{ noble_landing_urls_dest }}"

ansible/roles/noble_landing_urls/templates/noble-lab-ui-urls.md.j2

@@ -0,0 +1,50 @@
+# Noble lab — web UIs (LAN)
+
+> **Sensitive:** This file may include **passwords read from Kubernetes Secrets** when credential fetch ran. It is **gitignored** — do not commit or share.
+
+**DNS:** point **`*.apps.noble.lab.pcenicni.dev`** at the Traefik **LoadBalancer** (MetalLB **`192.168.50.211`** by default — see `clusters/noble/apps/traefik/values.yaml`).
+
+**TLS:** **cert-manager** + **`letsencrypt-prod`** on each Ingress (public **DNS-01** for **`pcenicni.dev`**).
+
+This file is **generated** by Ansible (`noble_landing_urls` role). Use it as a temporary landing page to find services after deploy.
+
+| UI | What | Kubernetes service | Namespace | URL |
+|----|------|----------------------|-----------|-----|
+{% for e in noble_lab_ui_entries %}
+| {{ e.name }} | {{ e.description }} | `{{ e.service }}` | `{{ e.namespace }}` | [{{ e.url }}]({{ e.url }}) |
+{% endfor %}
+
+## Initial access (logins)
+
+| App | Username / identity | Password / secret |
+|-----|---------------------|-------------------|
+| **Argo CD** | `admin` | {% if (noble_fetch_argocd_pw_b64 is defined) and (noble_fetch_argocd_pw_b64.rc | default(1) == 0) and (noble_fetch_argocd_pw_b64.stdout | default('') | length > 0) %}`{{ noble_fetch_argocd_pw_b64.stdout | b64decode }}`{% else %}*(not fetched — use commands below)*{% endif %} |
+| **Grafana** | {% if (noble_fetch_grafana_user_b64 is defined) and (noble_fetch_grafana_user_b64.rc | default(1) == 0) and (noble_fetch_grafana_user_b64.stdout | default('') | length > 0) %}`{{ noble_fetch_grafana_user_b64.stdout | b64decode }}`{% else %}*(from Secret — use commands below)*{% endif %} | {% if (noble_fetch_grafana_pw_b64 is defined) and (noble_fetch_grafana_pw_b64.rc | default(1) == 0) and (noble_fetch_grafana_pw_b64.stdout | default('') | length > 0) %}`{{ noble_fetch_grafana_pw_b64.stdout | b64decode }}`{% else %}*(not fetched — use commands below)*{% endif %} |
+| **Headlamp** | ServiceAccount token | No fixed password. Sign in with a SA token, or configure OIDC — `clusters/noble/apps/headlamp/README.md`. |
+| **Prometheus** | — | No auth in default install (lab). |
+| **Alertmanager** | — | No auth in default install (lab). |
+| **Longhorn** | — | No default login unless you enable access control in the UI settings. |
+| **Vault** | Token | Root token is only from **`vault operator init`** (not stored in git). See `clusters/noble/apps/vault/README.md`. |
+
+### Commands to retrieve passwords (if not filled above)
+
+```bash
+# Argo CD initial admin (Secret removed after you change password)
+kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d
+echo
+
+# Grafana admin user / password
+kubectl -n monitoring get secret kube-prometheus-grafana -o jsonpath='{.data.admin-user}' | base64 -d
+echo
+kubectl -n monitoring get secret kube-prometheus-grafana -o jsonpath='{.data.admin-password}' | base64 -d
+echo
+```
+
+To generate this file **without** calling kubectl, run Ansible with **`-e noble_landing_urls_fetch_credentials=false`**.
+
+## Notes
+
+- **Argo CD** `argocd-initial-admin-secret` disappears after you change the admin password.
+- **Grafana** password is random unless you set `grafana.adminPassword` in chart values.
+- **Vault** UI needs **unsealed** Vault; tokens come from your chosen auth method.
+- **Prometheus / Alertmanager** UIs are unauthenticated by default — restrict when hardening (`talos/CLUSTER-BUILD.md` Phase G).