Update .gitignore to include .tmp files, remove Trivy namespace from kustomization.yaml, and add Trivy dashboard application to app-of-apps kustomization. Delete obsolete Trivy namespace and values files to streamline deployment configuration.

.gitignore

@@ -6,6 +6,7 @@ talos/kubeconfig
 # Local secrets
 age-key.txt
 .env
+.tmp
 
 # Generated by ansible noble_landing_urls
 ansible/output/noble-lab-ui-urls.md

clusters/noble/apps/kustomization.yaml

@@ -5,3 +5,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - homepage/application.yaml
+  - trivy/namespace.yaml

clusters/noble/apps/trivy/dashboard-values.yaml

@@ -0,0 +1,42 @@
+# Trivy Operator Dashboard — web UI for Trivy Operator CRDs (community chart; not Aqua).
+# Helm: oci://ghcr.io/raoulx24/charts/trivy-operator-dashboard — Argo: **noble-trivy-dashboard**.
+# OAuth: Traefik **ForwardAuth** → **oauth2-proxy** (OIDC to Authentik), same pattern as Longhorn / Prometheus UIs.
+#
+# Sync **noble-trivy-operator** first so CRDs and reports exist. DNS: host below → Traefik LB.
+
+kubernetes:
+  # Match **clusters/noble/bootstrap/trivy/values.yaml** operator feature flags (no SBOM / cluster compliance cache).
+  trivyUseClusterComplianceReport: false
+  trivyUseClusterSbomReport: false
+  trivyUseClusterVulnerabilityReport: false
+  trivyUseSbomReport: false
+
+image:
+  pullPolicy: IfNotPresent
+
+ingress:
+  enabled: true
+  className: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    traefik.ingress.kubernetes.io/router.middlewares: oauth2-proxy-forward-auth@kubernetescrd
+  hosts:
+    - host: trivy.apps.noble.lab.pcenicni.dev
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: trivy-apps-noble-tls
+      hosts:
+        - trivy.apps.noble.lab.pcenicni.dev
+
+tolerations:
+  - operator: Exists
+
+resources:
+  requests:
+    cpu: 100m
+    memory: 384Mi
+  limits:
+    cpu: "1"
+    memory: 512Mi

clusters/noble/apps/trivy/values.yaml

@@ -1,6 +1,9 @@
 # Trivy Operator — in-cluster image vulnerability + config reports (Aqua trivy-operator Helm chart).
 # Deploy via Argo CD: **noble-trivy-operator** (`clusters/noble/bootstrap/argocd/app-of-apps/trivy-operator-application.yaml`).
 #
+# Web UI (separate chart; OAuth via Traefik ForwardAuth → oauth2-proxy / Authentik): sync **noble-trivy-dashboard**
+# after the operator — values in **dashboard-values.yaml** (host **trivy.apps.noble.lab.pcenicni.dev**).
+#
 # Manual Helm (if not using Argo):
 #   helm repo add aqua https://aquasecurity.github.io/helm-charts/ && helm repo update
 #   kubectl apply -f clusters/noble/bootstrap/trivy/namespace.yaml

clusters/noble/bootstrap/argocd/app-of-apps/kustomization.yaml

@@ -19,3 +19,4 @@ resources:
   - fluent-bit-application.yaml
   - headlamp-application.yaml
   - trivy-operator-application.yaml
+  - trivy-dashboard-application.yaml

clusters/noble/bootstrap/argocd/app-of-apps/trivy-dashboard-application.yaml

@@ -0,0 +1,28 @@
+# Bootstrap app-of-apps leaf: Trivy Operator Dashboard (web UI for vulnerability/config CRDs).
+# OAuth at the edge: Traefik ForwardAuth → oauth2-proxy (OIDC with Authentik); see **trivy/dashboard-values.yaml**.
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: noble-trivy-dashboard
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io/background
+spec:
+  project: default
+  sources:
+    - repoURL: oci://ghcr.io/raoulx24/charts/trivy-operator-dashboard
+      targetRevision: 1.8.0
+      helm:
+        releaseName: trivy-operator-dashboard
+        valueFiles:
+          - $values/clusters/noble/bootstrap/trivy/dashboard-values.yaml
+    - repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git
+      targetRevision: HEAD
+      ref: values
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: trivy-system
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

clusters/noble/bootstrap/kustomization.yaml

@@ -19,5 +19,4 @@ resources:
   - velero/namespace.yaml
   - velero/longhorn-volumesnapshotclass.yaml
   - headlamp/namespace.yaml
-  - trivy/namespace.yaml
   - grafana-loki-datasource/loki-datasource.yaml