Enable pre-upgrade job for Longhorn in values.yaml, update MetalLB README for clarity on LoadBalancer IP assignment, and enhance Talos configuration with node IP validation for VIPs. Update cluster build documentation to reflect new application versions and configurations.

clusters/noble/apps/traefik/README.md

@@ -0,0 +1,33 @@
+# Traefik — noble
+
+**Prerequisites:** **Cilium**, **MetalLB** (pool + L2), nodes **Ready**.
+
+1. Create the namespace (Pod Security **baseline** — Traefik needs more than **restricted**):
+
+   ```bash
+   kubectl apply -f clusters/noble/apps/traefik/namespace.yaml
+   ```
+
+2. Install the chart (**do not** use `--create-namespace` if the namespace already exists):
+
+   ```bash
+   helm repo add traefik https://traefik.github.io/charts
+   helm repo update
+   helm upgrade --install traefik traefik/traefik \
+     --namespace traefik \
+     --version 39.0.6 \
+     -f clusters/noble/apps/traefik/values.yaml \
+     --wait
+   ```
+
+3. Confirm the Service has a pool address. On the **LAN**, **`*.apps.noble.lab.pcenicni.dev`** can resolve to this IP (split horizon / local DNS). **Public** names go through **Pangolin + Newt** (CNAME + API), not ExternalDNS — see **`clusters/noble/apps/newt/README.md`**.
+
+   ```bash
+   kubectl get svc -n traefik traefik
+   ```
+
+   Values pin **`192.168.50.211`** via **`metallb.io/loadBalancerIPs`**. **`192.168.50.210`** stays free for Argo CD.
+
+4. Create **Ingress** resources with **`ingressClassName: traefik`** (or rely on the default class). **TLS:** add **`cert-manager.io/cluster-issuer: letsencrypt-staging`** (or **`letsencrypt-prod`**) and **`tls`** hosts — see **`clusters/noble/apps/cert-manager/README.md`**.
+
+5. **Public DNS:** use **Newt** + Pangolin (**CNAME** at your DNS host + **Integration API** for resources/targets) — **`clusters/noble/apps/newt/README.md`**.