Update .gitignore to include .tmp files, remove Trivy namespace from kustomization.yaml, and add Trivy dashboard application to app-of-apps kustomization. Delete obsolete Trivy namespace and values files to streamline deployment configuration.

clusters/noble/bootstrap/argocd/app-of-apps/kustomization.yaml

@@ -19,3 +19,4 @@ resources:
   - fluent-bit-application.yaml
   - headlamp-application.yaml
   - trivy-operator-application.yaml
+  - trivy-dashboard-application.yaml

clusters/noble/bootstrap/argocd/app-of-apps/trivy-dashboard-application.yaml

@@ -0,0 +1,28 @@
+# Bootstrap app-of-apps leaf: Trivy Operator Dashboard (web UI for vulnerability/config CRDs).
+# OAuth at the edge: Traefik ForwardAuth → oauth2-proxy (OIDC with Authentik); see **trivy/dashboard-values.yaml**.
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: noble-trivy-dashboard
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io/background
+spec:
+  project: default
+  sources:
+    - repoURL: oci://ghcr.io/raoulx24/charts/trivy-operator-dashboard
+      targetRevision: 1.8.0
+      helm:
+        releaseName: trivy-operator-dashboard
+        valueFiles:
+          - $values/clusters/noble/bootstrap/trivy/dashboard-values.yaml
+    - repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git
+      targetRevision: HEAD
+      ref: values
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: trivy-system
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

clusters/noble/bootstrap/kustomization.yaml

@@ -19,5 +19,4 @@ resources:
   - velero/namespace.yaml
   - velero/longhorn-volumesnapshotclass.yaml
   - headlamp/namespace.yaml
-  - trivy/namespace.yaml
   - grafana-loki-datasource/loki-datasource.yaml

clusters/noble/bootstrap/trivy/namespace.yaml

@@ -1,10 +0,0 @@
-# Trivy Operator — namespace + PSA; applied with **noble_platform** bootstrap kustomize before Argo syncs the chart.
-# Scan jobs may use elevated capabilities; align with other operator namespaces.
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: trivy-system
-  labels:
-    pod-security.kubernetes.io/enforce: privileged
-    pod-security.kubernetes.io/audit: privileged
-    pod-security.kubernetes.io/warn: privileged

clusters/noble/bootstrap/trivy/values.yaml

@@ -1,30 +0,0 @@
-# Trivy Operator — in-cluster image vulnerability + config reports (Aqua trivy-operator Helm chart).
-# Deploy via Argo CD: **noble-trivy-operator** (`clusters/noble/bootstrap/argocd/app-of-apps/trivy-operator-application.yaml`).
-#
-# Manual Helm (if not using Argo):
-#   helm repo add aqua https://aquasecurity.github.io/helm-charts/ && helm repo update
-#   kubectl apply -f clusters/noble/bootstrap/trivy/namespace.yaml
-#   helm upgrade --install trivy-operator aqua/trivy-operator -n trivy-system \
-#     --version 0.32.1 -f clusters/noble/bootstrap/trivy/values.yaml --wait --timeout 15m
-#
-# Inspect: kubectl get vulnerabilityreports,configauditreports -A
-# Docs: https://aquasecurity.github.io/trivy-operator/
-
-# Skip platform/system namespaces (mirrors Kyverno excludes; reduces scan load).
-excludeNamespaces: "argocd,cert-manager,headlamp,kyverno,local-path-storage,logging,longhorn-system,loki,metallb-system,monitoring,newt,traefik,trivy-system,velero,kube-node-lease,kube-public,kube-system"
-
-operator:
-  scanJobsConcurrentLimit: 5
-  # SBOM / cluster compliance add CPU and CR volume; keep vulnerability + config audit.
-  sbomGenerationEnabled: false
-  clusterSbomCacheEnabled: false
-  clusterComplianceEnabled: false
-
-trivyOperator:
-  # Run scan Jobs on every node (Talos / mixed taints).
-  scanJobTolerations:
-    - operator: Exists
-
-serviceMonitor:
-  enabled: true
-  namespace: monitoring