From 10fdaf873cf3a74a654c017ce1eae94759836e43 Mon Sep 17 00:00:00 2001
From: Nikholas Pcenicni <82239765+nikpcenicni@users.noreply.github.com>
Date: Thu, 14 May 2026 17:10:00 -0400
Subject: [PATCH] Update .gitignore to include .tmp files, remove Trivy
 namespace from kustomization.yaml, and add Trivy dashboard application to
 app-of-apps kustomization. Delete obsolete Trivy namespace and values files
 to streamline deployment configuration.

---
 .gitignore                                    |  1 +
 clusters/noble/apps/kustomization.yaml        |  1 +
 .../noble/apps/trivy/dashboard-values.yaml    | 42 +++++++++++++++++++
 .../{bootstrap => apps}/trivy/namespace.yaml  |  0
 .../{bootstrap => apps}/trivy/values.yaml     |  3 ++
 .../argocd/app-of-apps/kustomization.yaml     |  1 +
 .../trivy-dashboard-application.yaml          | 28 +++++++++++++
 clusters/noble/bootstrap/kustomization.yaml   |  1 -
 8 files changed, 76 insertions(+), 1 deletion(-)
 create mode 100644 clusters/noble/apps/trivy/dashboard-values.yaml
 rename clusters/noble/{bootstrap => apps}/trivy/namespace.yaml (100%)
 rename clusters/noble/{bootstrap => apps}/trivy/values.yaml (86%)
 create mode 100644 clusters/noble/bootstrap/argocd/app-of-apps/trivy-dashboard-application.yaml

diff --git a/.gitignore b/.gitignore
index b99a881..6c3b096 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,6 +6,7 @@ talos/kubeconfig
 # Local secrets
 age-key.txt
 .env
+.tmp
 
 # Generated by ansible noble_landing_urls
 ansible/output/noble-lab-ui-urls.md
\ No newline at end of file
diff --git a/clusters/noble/apps/kustomization.yaml b/clusters/noble/apps/kustomization.yaml
index d0d72de..d32a44c 100644
--- a/clusters/noble/apps/kustomization.yaml
+++ b/clusters/noble/apps/kustomization.yaml
@@ -5,3 +5,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - homepage/application.yaml
+  - trivy/namespace.yaml
\ No newline at end of file
diff --git a/clusters/noble/apps/trivy/dashboard-values.yaml b/clusters/noble/apps/trivy/dashboard-values.yaml
new file mode 100644
index 0000000..54c043d
--- /dev/null
+++ b/clusters/noble/apps/trivy/dashboard-values.yaml
@@ -0,0 +1,42 @@
+# Trivy Operator Dashboard — web UI for Trivy Operator CRDs (community chart; not Aqua).
+# Helm: oci://ghcr.io/raoulx24/charts/trivy-operator-dashboard — Argo: **noble-trivy-dashboard**.
+# OAuth: Traefik **ForwardAuth** → **oauth2-proxy** (OIDC to Authentik), same pattern as Longhorn / Prometheus UIs.
+#
+# Sync **noble-trivy-operator** first so CRDs and reports exist. DNS: host below → Traefik LB.
+
+kubernetes:
+  # Match **clusters/noble/bootstrap/trivy/values.yaml** operator feature flags (no SBOM / cluster compliance cache).
+  trivyUseClusterComplianceReport: false
+  trivyUseClusterSbomReport: false
+  trivyUseClusterVulnerabilityReport: false
+  trivyUseSbomReport: false
+
+image:
+  pullPolicy: IfNotPresent
+
+ingress:
+  enabled: true
+  className: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    traefik.ingress.kubernetes.io/router.middlewares: oauth2-proxy-forward-auth@kubernetescrd
+  hosts:
+    - host: trivy.apps.noble.lab.pcenicni.dev
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: trivy-apps-noble-tls
+      hosts:
+        - trivy.apps.noble.lab.pcenicni.dev
+
+tolerations:
+  - operator: Exists
+
+resources:
+  requests:
+    cpu: 100m
+    memory: 384Mi
+  limits:
+    cpu: "1"
+    memory: 512Mi
diff --git a/clusters/noble/bootstrap/trivy/namespace.yaml b/clusters/noble/apps/trivy/namespace.yaml
similarity index 100%
rename from clusters/noble/bootstrap/trivy/namespace.yaml
rename to clusters/noble/apps/trivy/namespace.yaml
diff --git a/clusters/noble/bootstrap/trivy/values.yaml b/clusters/noble/apps/trivy/values.yaml
similarity index 86%
rename from clusters/noble/bootstrap/trivy/values.yaml
rename to clusters/noble/apps/trivy/values.yaml
index aa4645c..28321e1 100644
--- a/clusters/noble/bootstrap/trivy/values.yaml
+++ b/clusters/noble/apps/trivy/values.yaml
@@ -1,6 +1,9 @@
 # Trivy Operator — in-cluster image vulnerability + config reports (Aqua trivy-operator Helm chart).
 # Deploy via Argo CD: **noble-trivy-operator** (`clusters/noble/bootstrap/argocd/app-of-apps/trivy-operator-application.yaml`).
 #
+# Web UI (separate chart; OAuth via Traefik ForwardAuth → oauth2-proxy / Authentik): sync **noble-trivy-dashboard**
+# after the operator — values in **dashboard-values.yaml** (host **trivy.apps.noble.lab.pcenicni.dev**).
+#
 # Manual Helm (if not using Argo):
 #   helm repo add aqua https://aquasecurity.github.io/helm-charts/ && helm repo update
 #   kubectl apply -f clusters/noble/bootstrap/trivy/namespace.yaml
diff --git a/clusters/noble/bootstrap/argocd/app-of-apps/kustomization.yaml b/clusters/noble/bootstrap/argocd/app-of-apps/kustomization.yaml
index 93e29f5..ab71a56 100644
--- a/clusters/noble/bootstrap/argocd/app-of-apps/kustomization.yaml
+++ b/clusters/noble/bootstrap/argocd/app-of-apps/kustomization.yaml
@@ -19,3 +19,4 @@ resources:
   - fluent-bit-application.yaml
   - headlamp-application.yaml
   - trivy-operator-application.yaml
+  - trivy-dashboard-application.yaml
diff --git a/clusters/noble/bootstrap/argocd/app-of-apps/trivy-dashboard-application.yaml b/clusters/noble/bootstrap/argocd/app-of-apps/trivy-dashboard-application.yaml
new file mode 100644
index 0000000..8cca113
--- /dev/null
+++ b/clusters/noble/bootstrap/argocd/app-of-apps/trivy-dashboard-application.yaml
@@ -0,0 +1,28 @@
+# Bootstrap app-of-apps leaf: Trivy Operator Dashboard (web UI for vulnerability/config CRDs).
+# OAuth at the edge: Traefik ForwardAuth → oauth2-proxy (OIDC with Authentik); see **trivy/dashboard-values.yaml**.
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: noble-trivy-dashboard
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io/background
+spec:
+  project: default
+  sources:
+    - repoURL: oci://ghcr.io/raoulx24/charts/trivy-operator-dashboard
+      targetRevision: 1.8.0
+      helm:
+        releaseName: trivy-operator-dashboard
+        valueFiles:
+          - $values/clusters/noble/bootstrap/trivy/dashboard-values.yaml
+    - repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git
+      targetRevision: HEAD
+      ref: values
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: trivy-system
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
diff --git a/clusters/noble/bootstrap/kustomization.yaml b/clusters/noble/bootstrap/kustomization.yaml
index c29d1d9..35002bb 100644
--- a/clusters/noble/bootstrap/kustomization.yaml
+++ b/clusters/noble/bootstrap/kustomization.yaml
@@ -19,5 +19,4 @@ resources:
   - velero/namespace.yaml
   - velero/longhorn-volumesnapshotclass.yaml
   - headlamp/namespace.yaml
-  - trivy/namespace.yaml
   - grafana-loki-datasource/loki-datasource.yaml