Update .gitignore to include generated noble-lab-ui-urls.md and enhance README.md with new role documentation. Refactor noble.yml to incorporate noble_landing_urls role for improved URL management. Add ingress configurations for alertmanager, prometheus, longhorn, and vault to support TLS termination via Traefik. Update network policies and values.yaml for vault to allow traffic from Traefik. These changes aim to streamline deployment and enhance service accessibility.

clusters/noble/apps/kube-prometheus-stack/values.yaml

@@ -35,6 +35,20 @@ alertmanager:
           resources:
             requests:
               storage: 5Gi
+  ingress:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    hosts:
+      - alertmanager.apps.noble.lab.pcenicni.dev
+    paths:
+      - /
+    pathType: Prefix
+    tls:
+      - secretName: alertmanager-apps-noble-tls
+        hosts:
+          - alertmanager.apps.noble.lab.pcenicni.dev
 
 prometheus:
   prometheusSpec:
@@ -48,6 +62,20 @@ prometheus:
           resources:
             requests:
               storage: 30Gi
+  ingress:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    hosts:
+      - prometheus.apps.noble.lab.pcenicni.dev
+    paths:
+      - /
+    pathType: Prefix
+    tls:
+      - secretName: prometheus-apps-noble-tls
+        hosts:
+          - prometheus.apps.noble.lab.pcenicni.dev
 
 grafana:
   persistence:
@@ -78,5 +106,7 @@ grafana:
     server:
       domain: grafana.apps.noble.lab.pcenicni.dev
       root_url: https://grafana.apps.noble.lab.pcenicni.dev/
+      # Traefik sets X-Forwarded-*; required for correct redirects and cookies behind the ingress.
+      use_proxy_headers: true
 
   # Loki datasource: apply `clusters/noble/apps/grafana-loki-datasource/loki-datasource.yaml` (sidecar ConfigMap) instead of additionalDataSources here.

clusters/noble/apps/longhorn/values.yaml

@@ -16,6 +16,19 @@ defaultSettings:
   # Default 30% reserved often makes small data disks look "full" to the scheduler.
   storageReservedPercentageForDefaultDisk: "10"
 
+# Longhorn UI — same *.apps.noble.lab.pcenicni.dev pattern as Grafana / Headlamp (Traefik LB → cert-manager TLS).
+ingress:
+  enabled: true
+  ingressClassName: traefik
+  host: longhorn.apps.noble.lab.pcenicni.dev
+  path: /
+  pathType: Prefix
+  tls: true
+  tlsSecret: longhorn-apps-noble-tls
+  secureBackends: false
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+
 # Pre-upgrade Job: keep enabled for normal Helm upgrades (disable only if GitOps sync fights the Job).
 preUpgradeChecker:
   jobEnabled: true

clusters/noble/apps/vault/cilium-network-policy.yaml

@@ -24,6 +24,13 @@ spec:
         - ports:
             - port: "8200"
               protocol: TCP
+    - fromEndpoints:
+        - matchLabels:
+            "k8s:io.kubernetes.pod.namespace": traefik
+      toPorts:
+        - ports:
+            - port: "8200"
+              protocol: TCP
     - fromEndpoints:
         - matchLabels:
             "k8s:io.kubernetes.pod.namespace": vault

clusters/noble/apps/vault/values.yaml

@@ -44,5 +44,19 @@ server:
     path: "/v1/sys/health?uninitcode=204&sealedcode=204&standbyok=true"
     port: 8200
 
+  # LAN: TLS terminates at Traefik + cert-manager; listener stays HTTP (global.tlsDisable).
+  ingress:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    hosts:
+      - host: vault.apps.noble.lab.pcenicni.dev
+        paths: []
+    tls:
+      - secretName: vault-apps-noble-tls
+        hosts:
+          - vault.apps.noble.lab.pcenicni.dev
+
 ui:
   enabled: true