Update .gitignore to include .tmp files, remove Trivy namespace from kustomization.yaml, and add Trivy dashboard application to app-of-apps kustomization. Delete obsolete Trivy namespace and values files to streamline deployment configuration.

clusters/noble/apps/kustomization.yaml

@@ -5,3 +5,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - homepage/application.yaml
+  - trivy/namespace.yaml

clusters/noble/apps/trivy/dashboard-values.yaml

@@ -0,0 +1,42 @@
+# Trivy Operator Dashboard — web UI for Trivy Operator CRDs (community chart; not Aqua).
+# Helm: oci://ghcr.io/raoulx24/charts/trivy-operator-dashboard — Argo: **noble-trivy-dashboard**.
+# OAuth: Traefik **ForwardAuth** → **oauth2-proxy** (OIDC to Authentik), same pattern as Longhorn / Prometheus UIs.
+#
+# Sync **noble-trivy-operator** first so CRDs and reports exist. DNS: host below → Traefik LB.
+
+kubernetes:
+  # Match **clusters/noble/bootstrap/trivy/values.yaml** operator feature flags (no SBOM / cluster compliance cache).
+  trivyUseClusterComplianceReport: false
+  trivyUseClusterSbomReport: false
+  trivyUseClusterVulnerabilityReport: false
+  trivyUseSbomReport: false
+
+image:
+  pullPolicy: IfNotPresent
+
+ingress:
+  enabled: true
+  className: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    traefik.ingress.kubernetes.io/router.middlewares: oauth2-proxy-forward-auth@kubernetescrd
+  hosts:
+    - host: trivy.apps.noble.lab.pcenicni.dev
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: trivy-apps-noble-tls
+      hosts:
+        - trivy.apps.noble.lab.pcenicni.dev
+
+tolerations:
+  - operator: Exists
+
+resources:
+  requests:
+    cpu: 100m
+    memory: 384Mi
+  limits:
+    cpu: "1"
+    memory: 512Mi

clusters/noble/apps/trivy/namespace.yaml

@@ -0,0 +1,10 @@
+# Trivy Operator — namespace + PSA; applied with **noble_platform** bootstrap kustomize before Argo syncs the chart.
+# Scan jobs may use elevated capabilities; align with other operator namespaces.
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: trivy-system
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged

clusters/noble/apps/trivy/values.yaml

@@ -0,0 +1,33 @@
+# Trivy Operator — in-cluster image vulnerability + config reports (Aqua trivy-operator Helm chart).
+# Deploy via Argo CD: **noble-trivy-operator** (`clusters/noble/bootstrap/argocd/app-of-apps/trivy-operator-application.yaml`).
+#
+# Web UI (separate chart; OAuth via Traefik ForwardAuth → oauth2-proxy / Authentik): sync **noble-trivy-dashboard**
+# after the operator — values in **dashboard-values.yaml** (host **trivy.apps.noble.lab.pcenicni.dev**).
+#
+# Manual Helm (if not using Argo):
+#   helm repo add aqua https://aquasecurity.github.io/helm-charts/ && helm repo update
+#   kubectl apply -f clusters/noble/bootstrap/trivy/namespace.yaml
+#   helm upgrade --install trivy-operator aqua/trivy-operator -n trivy-system \
+#     --version 0.32.1 -f clusters/noble/bootstrap/trivy/values.yaml --wait --timeout 15m
+#
+# Inspect: kubectl get vulnerabilityreports,configauditreports -A
+# Docs: https://aquasecurity.github.io/trivy-operator/
+
+# Skip platform/system namespaces (mirrors Kyverno excludes; reduces scan load).
+excludeNamespaces: "argocd,cert-manager,headlamp,kyverno,local-path-storage,logging,longhorn-system,loki,metallb-system,monitoring,newt,traefik,trivy-system,velero,kube-node-lease,kube-public,kube-system"
+
+operator:
+  scanJobsConcurrentLimit: 5
+  # SBOM / cluster compliance add CPU and CR volume; keep vulnerability + config audit.
+  sbomGenerationEnabled: false
+  clusterSbomCacheEnabled: false
+  clusterComplianceEnabled: false
+
+trivyOperator:
+  # Run scan Jobs on every node (Talos / mixed taints).
+  scanJobTolerations:
+    - operator: Exists
+
+serviceMonitor:
+  enabled: true
+  namespace: monitoring