Enable pre-upgrade job for Longhorn in values.yaml, update MetalLB README for clarity on LoadBalancer IP assignment, and enhance Talos configuration with node IP validation for VIPs. Update cluster build documentation to reflect new application versions and configurations.

clusters/noble/apps/traefik/README.md

@@ -0,0 +1,33 @@
+# Traefik — noble
+
+**Prerequisites:** **Cilium**, **MetalLB** (pool + L2), nodes **Ready**.
+
+1. Create the namespace (Pod Security **baseline** — Traefik needs more than **restricted**):
+
+   ```bash
+   kubectl apply -f clusters/noble/apps/traefik/namespace.yaml
+   ```
+
+2. Install the chart (**do not** use `--create-namespace` if the namespace already exists):
+
+   ```bash
+   helm repo add traefik https://traefik.github.io/charts
+   helm repo update
+   helm upgrade --install traefik traefik/traefik \
+     --namespace traefik \
+     --version 39.0.6 \
+     -f clusters/noble/apps/traefik/values.yaml \
+     --wait
+   ```
+
+3. Confirm the Service has a pool address. On the **LAN**, **`*.apps.noble.lab.pcenicni.dev`** can resolve to this IP (split horizon / local DNS). **Public** names go through **Pangolin + Newt** (CNAME + API), not ExternalDNS — see **`clusters/noble/apps/newt/README.md`**.
+
+   ```bash
+   kubectl get svc -n traefik traefik
+   ```
+
+   Values pin **`192.168.50.211`** via **`metallb.io/loadBalancerIPs`**. **`192.168.50.210`** stays free for Argo CD.
+
+4. Create **Ingress** resources with **`ingressClassName: traefik`** (or rely on the default class). **TLS:** add **`cert-manager.io/cluster-issuer: letsencrypt-staging`** (or **`letsencrypt-prod`**) and **`tls`** hosts — see **`clusters/noble/apps/cert-manager/README.md`**.
+
+5. **Public DNS:** use **Newt** + Pangolin (**CNAME** at your DNS host + **Integration API** for resources/targets) — **`clusters/noble/apps/newt/README.md`**.

clusters/noble/apps/traefik/namespace.yaml

@@ -0,0 +1,10 @@
+# Traefik controller — apply before Helm (omit --create-namespace on install).
+# Ingress controller needs capabilities beyond "restricted"; use baseline.
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: traefik
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/audit: baseline
+    pod-security.kubernetes.io/warn: baseline

clusters/noble/apps/traefik/values.yaml

@@ -0,0 +1,29 @@
+# Traefik ingress controller — noble lab
+#
+# Chart: traefik/traefik — pin version on the helm command (e.g. 39.0.6).
+# DNS: point *.apps.noble.lab.pcenicni.dev to the LoadBalancer IP below.
+#
+# kubectl apply -f clusters/noble/apps/traefik/namespace.yaml
+# helm repo add traefik https://traefik.github.io/charts
+# helm upgrade --install traefik traefik/traefik -n traefik \
+#   --version 39.0.6 -f clusters/noble/apps/traefik/values.yaml --wait
+
+service:
+  type: LoadBalancer
+  annotations:
+    metallb.io/loadBalancerIPs: 192.168.50.211
+
+ingressClass:
+  enabled: true
+  isDefaultClass: true
+  name: traefik
+
+# Ingress-only; Gateway API objects from the chart are not needed here.
+gateway:
+  enabled: false
+
+gatewayClass:
+  enabled: false
+
+deployment:
+  replicas: 1