Refactor noble cluster configurations to transition from the deprecated apps structure to a streamlined bootstrap approach. Update paths in various YAML files and README documentation to reflect the new organization under clusters/noble/bootstrap. This change enhances clarity and consistency across the deployment process, ensuring that all components are correctly referenced and documented for user guidance.

clusters/noble/bootstrap/vault/README.md

@@ -10,9 +10,9 @@ Standalone Vault with **file** storage on a **Longhorn** PVC (`server.dataStorag
 ```bash
 helm repo add hashicorp https://helm.releases.hashicorp.com
 helm repo update
-kubectl apply -f clusters/noble/apps/vault/namespace.yaml
+kubectl apply -f clusters/noble/bootstrap/vault/namespace.yaml
 helm upgrade --install vault hashicorp/vault -n vault \
-  --version 0.32.0 -f clusters/noble/apps/vault/values.yaml --wait --timeout 15m
+  --version 0.32.0 -f clusters/noble/bootstrap/vault/values.yaml --wait --timeout 15m
 ```
 
 Verify:
@@ -27,7 +27,7 @@ kubectl -n vault exec -i sts/vault -- vault status
 After **Cilium** is up, optionally restrict HTTP access to the Vault server pods (**TCP 8200**) to **`external-secrets`** and same-namespace clients:
 
 ```bash
-kubectl apply -f clusters/noble/apps/vault/cilium-network-policy.yaml
+kubectl apply -f clusters/noble/bootstrap/vault/cilium-network-policy.yaml
 ```
 
 If you add workloads in other namespaces that call Vault, extend **`ingress`** in that manifest.
@@ -53,7 +53,7 @@ Or create the Secret used by the optional CronJob and apply it:
 
 ```bash
 kubectl -n vault create secret generic vault-unseal-key --from-literal=key='YOUR_UNSEAL_KEY'
-kubectl apply -f clusters/noble/apps/vault/unseal-cronjob.yaml
+kubectl apply -f clusters/noble/bootstrap/vault/unseal-cronjob.yaml
 ```
 
 The CronJob runs every minute and unseals if Vault is sealed and the Secret is present.
@@ -64,7 +64,7 @@ Vault **OSS** auto-unseal uses cloud KMS (AWS, GCP, Azure, OCI), **Transit** (an
 
 ## Kubernetes auth (External Secrets / ClusterSecretStore)
 
-**One-shot:** from the repo root, `export KUBECONFIG=talos/kubeconfig` and `export VAULT_TOKEN=…`, then run **`./clusters/noble/apps/vault/configure-kubernetes-auth.sh`** (idempotent). Then **`kubectl apply -f clusters/noble/apps/external-secrets/examples/vault-cluster-secret-store.yaml`** on its own line (shell comments **`# …`** on the same line are parsed as extra `kubectl` args and break `apply`). **`kubectl get clustersecretstore vault`** should show **READY=True** after a few seconds.
+**One-shot:** from the repo root, `export KUBECONFIG=talos/kubeconfig` and `export VAULT_TOKEN=…`, then run **`./clusters/noble/bootstrap/vault/configure-kubernetes-auth.sh`** (idempotent). Then **`kubectl apply -f clusters/noble/bootstrap/external-secrets/examples/vault-cluster-secret-store.yaml`** on its own line (shell comments **`# …`** on the same line are parsed as extra `kubectl` args and break `apply`). **`kubectl get clustersecretstore vault`** should show **READY=True** after a few seconds.
 
 Run these **from your workstation** (needs `kubectl`; no local `vault` binary required). Use a **short-lived admin token** or the root token **only in your shell** — do not paste tokens into logs or chat.
 
@@ -139,7 +139,7 @@ EOF
 '
 ```
 
-**5. Apply** **`clusters/noble/apps/external-secrets/examples/vault-cluster-secret-store.yaml`** if you have not already, then verify:
+**5. Apply** **`clusters/noble/bootstrap/external-secrets/examples/vault-cluster-secret-store.yaml`** if you have not already, then verify:
 
 ```bash
 kubectl describe clustersecretstore vault

clusters/noble/bootstrap/vault/cilium-network-policy.yaml

@@ -1,5 +1,5 @@
 # CiliumNetworkPolicy — restrict who may reach Vault HTTP listener (8200).
-# Apply after Cilium is healthy: kubectl apply -f clusters/noble/apps/vault/cilium-network-policy.yaml
+# Apply after Cilium is healthy: kubectl apply -f clusters/noble/bootstrap/vault/cilium-network-policy.yaml
 #
 # Ingress-only policy: egress from Vault is unchanged (Kubernetes auth needs API + DNS).
 # Extend ingress rules if other namespaces must call Vault (e.g. app workloads).

clusters/noble/bootstrap/vault/configure-kubernetes-auth.sh

@@ -5,9 +5,9 @@
 # Usage (from repo root):
 #   export KUBECONFIG=talos/kubeconfig   # or your path
 #   export VAULT_TOKEN='…'               # root or admin token — never commit
-#   ./clusters/noble/apps/vault/configure-kubernetes-auth.sh
+#   ./clusters/noble/bootstrap/vault/configure-kubernetes-auth.sh
 #
-# Then: kubectl apply -f clusters/noble/apps/external-secrets/examples/vault-cluster-secret-store.yaml
+# Then: kubectl apply -f clusters/noble/bootstrap/external-secrets/examples/vault-cluster-secret-store.yaml
 # Verify: kubectl describe clustersecretstore vault
 
 set -euo pipefail
@@ -73,5 +73,5 @@ EOF
 echo "Done. Issuer used: $ISSUER"
 echo ""
 echo "Next (each command on its own line — do not paste # comments after kubectl):"
-echo "  kubectl apply -f clusters/noble/apps/external-secrets/examples/vault-cluster-secret-store.yaml"
+echo "  kubectl apply -f clusters/noble/bootstrap/external-secrets/examples/vault-cluster-secret-store.yaml"
 echo "  kubectl get clustersecretstore vault"

clusters/noble/bootstrap/vault/unseal-cronjob.yaml

@@ -2,7 +2,7 @@
 #
 # 1) vault operator init -key-shares=1 -key-threshold=1  (lab only — single key)
 # 2) kubectl -n vault create secret generic vault-unseal-key --from-literal=key='YOUR_UNSEAL_KEY'
-# 3) kubectl apply -f clusters/noble/apps/vault/unseal-cronjob.yaml
+# 3) kubectl apply -f clusters/noble/bootstrap/vault/unseal-cronjob.yaml
 #
 # OSS Vault has no Kubernetes/KMS seal; this CronJob runs vault operator unseal when the server is sealed.
 # Protect the Secret with RBAC; prefer cloud KMS auto-unseal for real environments.

clusters/noble/bootstrap/vault/values.yaml

@@ -2,9 +2,9 @@
 #
 # helm repo add hashicorp https://helm.releases.hashicorp.com
 # helm repo update
-# kubectl apply -f clusters/noble/apps/vault/namespace.yaml
+# kubectl apply -f clusters/noble/bootstrap/vault/namespace.yaml
 # helm upgrade --install vault hashicorp/vault -n vault \
-#   --version 0.32.0 -f clusters/noble/apps/vault/values.yaml --wait --timeout 15m
+#   --version 0.32.0 -f clusters/noble/bootstrap/vault/values.yaml --wait --timeout 15m
 #
 # Post-install: initialize, store unseal key in Secret, apply optional unseal CronJob — see README.md
 #