Update Ansible configuration to integrate SOPS for managing secrets. Enhance README.md with SOPS usage instructions and prerequisites. Remove External Secrets Operator references and related configurations from the bootstrap process, streamlining the deployment. Adjust playbooks and roles to apply SOPS-encrypted secrets automatically, improving security and clarity in secret management.

ansible/roles/noble_post_deploy/tasks/main.yml

@@ -1,24 +1,10 @@
 ---
-- name: Vault — manual steps (not automated)
+- name: SOPS secrets (workstation)
   ansible.builtin.debug:
     msg: |
-      1. kubectl -n vault get pods  (wait for Running)
-      2. kubectl -n vault exec -it vault-0 -- vault operator init  (once; save keys)
-      3. Unseal per clusters/noble/bootstrap/vault/README.md
-      4. ./clusters/noble/bootstrap/vault/configure-kubernetes-auth.sh
-      5. kubectl apply -f clusters/noble/bootstrap/external-secrets/examples/vault-cluster-secret-store.yaml
-
-- name: Optional — apply Vault ClusterSecretStore for External Secrets
-  ansible.builtin.command:
-    argv:
-      - kubectl
-      - apply
-      - -f
-      - "{{ noble_repo_root }}/clusters/noble/bootstrap/external-secrets/examples/vault-cluster-secret-store.yaml"
-  environment:
-    KUBECONFIG: "{{ noble_kubeconfig }}"
-  when: noble_apply_vault_cluster_secret_store | default(false) | bool
-  changed_when: true
+      Encrypted Kubernetes Secrets live under clusters/noble/secrets/ (Mozilla SOPS + age).
+      Private key: age-key.txt at repo root (gitignored). See clusters/noble/secrets/README.md
+      and .sops.yaml. noble.yml decrypt-applies these when age-key.txt exists.
 
 - name: Argo CD optional root Application (empty app-of-apps)
   ansible.builtin.debug: