Enable pre-upgrade job for Longhorn in values.yaml, update MetalLB README for clarity on LoadBalancer IP assignment, and enhance Talos configuration with node IP validation for VIPs. Update cluster build documentation to reflect new application versions and configurations.

clusters/noble/apps/cert-manager/README.md

@@ -0,0 +1,37 @@
+# cert-manager — noble
+
+**Prerequisites:** **Traefik** (ingress class **`traefik`**), DNS for **`*.apps.noble.lab.pcenicni.dev`** → Traefik LB.
+
+1. Create the namespace:
+
+   ```bash
+   kubectl apply -f clusters/noble/apps/cert-manager/namespace.yaml
+   ```
+
+2. Install the chart (CRDs included via `values.yaml`):
+
+   ```bash
+   helm repo add jetstack https://charts.jetstack.io
+   helm repo update
+   helm upgrade --install cert-manager jetstack/cert-manager \
+     --namespace cert-manager \
+     --version v1.20.0 \
+     -f clusters/noble/apps/cert-manager/values.yaml \
+     --wait
+   ```
+
+3. Optionally edit **`spec.acme.email`** in both ClusterIssuer manifests (default **`certificates@noble.lab.pcenicni.dev`**) — Let’s Encrypt uses this for expiry and account notices. Do **not** use **`example.com`** (ACME rejects it).
+
+4. Apply ClusterIssuers (staging then prod, or both):
+
+   ```bash
+   kubectl apply -k clusters/noble/apps/cert-manager
+   ```
+
+5. Confirm:
+
+   ```bash
+   kubectl get clusterissuer
+   ```
+
+Use **`cert-manager.io/cluster-issuer: letsencrypt-staging`** on Ingresses while testing; switch to **`letsencrypt-prod`** when ready.