Enable pre-upgrade job for Longhorn in values.yaml, update MetalLB README for clarity on LoadBalancer IP assignment, and enhance Talos configuration with node IP validation for VIPs. Update cluster build documentation to reflect new application versions and configurations.

clusters/noble/apps/cert-manager/README.md

@@ -0,0 +1,37 @@
+# cert-manager — noble
+
+**Prerequisites:** **Traefik** (ingress class **`traefik`**), DNS for **`*.apps.noble.lab.pcenicni.dev`** → Traefik LB.
+
+1. Create the namespace:
+
+   ```bash
+   kubectl apply -f clusters/noble/apps/cert-manager/namespace.yaml
+   ```
+
+2. Install the chart (CRDs included via `values.yaml`):
+
+   ```bash
+   helm repo add jetstack https://charts.jetstack.io
+   helm repo update
+   helm upgrade --install cert-manager jetstack/cert-manager \
+     --namespace cert-manager \
+     --version v1.20.0 \
+     -f clusters/noble/apps/cert-manager/values.yaml \
+     --wait
+   ```
+
+3. Optionally edit **`spec.acme.email`** in both ClusterIssuer manifests (default **`certificates@noble.lab.pcenicni.dev`**) — Let’s Encrypt uses this for expiry and account notices. Do **not** use **`example.com`** (ACME rejects it).
+
+4. Apply ClusterIssuers (staging then prod, or both):
+
+   ```bash
+   kubectl apply -k clusters/noble/apps/cert-manager
+   ```
+
+5. Confirm:
+
+   ```bash
+   kubectl get clusterissuer
+   ```
+
+Use **`cert-manager.io/cluster-issuer: letsencrypt-staging`** on Ingresses while testing; switch to **`letsencrypt-prod`** when ready.

clusters/noble/apps/cert-manager/clusterissuer-letsencrypt-prod.yaml

@@ -0,0 +1,16 @@
+# Let's Encrypt production — trusted certificates; respect rate limits.
+# Prefer a real mailbox for expiry notices; this domain is accepted by LE (edit if needed).
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    email: certificates@noble.lab.pcenicni.dev
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-prod-account-key
+    solvers:
+      - http01:
+          ingress:
+            class: traefik

clusters/noble/apps/cert-manager/clusterissuer-letsencrypt-staging.yaml

@@ -0,0 +1,16 @@
+# Let's Encrypt staging — use for tests (untrusted issuer in browsers).
+# Prefer a real mailbox for expiry notices; this domain is accepted by LE (edit if needed).
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    email: certificates@noble.lab.pcenicni.dev
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-staging-account-key
+    solvers:
+      - http01:
+          ingress:
+            class: traefik

clusters/noble/apps/cert-manager/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - clusterissuer-letsencrypt-staging.yaml
+  - clusterissuer-letsencrypt-prod.yaml

clusters/noble/apps/cert-manager/namespace.yaml

@@ -0,0 +1,9 @@
+# cert-manager controller + webhook — noble lab
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/audit: baseline
+    pod-security.kubernetes.io/warn: baseline

clusters/noble/apps/cert-manager/values.yaml

@@ -0,0 +1,14 @@
+# cert-manager — noble lab
+#
+# Chart: jetstack/cert-manager — pin version on the helm command (e.g. v1.20.0).
+#
+# kubectl apply -f clusters/noble/apps/cert-manager/namespace.yaml
+# helm repo add jetstack https://charts.jetstack.io
+# helm repo update
+# helm upgrade --install cert-manager jetstack/cert-manager -n cert-manager \
+#   --version v1.20.0 -f clusters/noble/apps/cert-manager/values.yaml --wait
+#
+# kubectl apply -k clusters/noble/apps/cert-manager
+
+crds:
+  enabled: true