Refactor noble cluster configurations by removing deprecated Argo CD application management files and transitioning to a streamlined Ansible-driven installation approach. Update kustomization.yaml files to reflect the new structure, ensuring clarity on resource management. Introduce new namespaces and configurations for cert-manager, external-secrets, and logging components, enhancing the overall deployment process. Add detailed README.md documentation for each component to guide users through the setup and management of the noble lab environment.

clusters/noble/bootstrap/cert-manager/README.md

@@ -0,0 +1,53 @@
+# cert-manager — noble
+
+**Prerequisites:** **Traefik** (ingress class **`traefik`**), DNS for **`*.apps.noble.lab.pcenicni.dev`** → Traefik LB for app traffic.
+
+**ACME (Let’s Encrypt)** uses **DNS-01** via **Cloudflare** for zone **`pcenicni.dev`**. Create an API token with **Zone → DNS → Edit** and **Zone → Zone → Read** (or use the “Edit zone DNS” template), then:
+
+**Option A — Ansible:** copy **`.env.sample`** to **`.env`** in the repo root, set **`CLOUDFLARE_DNS_API_TOKEN`**, run **`ansible/playbooks/noble.yml`** (or **`deploy.yml`**). The **cert-manager** role creates **cloudflare-dns-api-token** from `.env` after the chart installs.
+
+**Option B — kubectl:**
+
+```bash
+kubectl -n cert-manager create secret generic cloudflare-dns-api-token \
+  --from-literal=api-token='YOUR_CLOUDFLARE_API_TOKEN' \
+  --dry-run=client -o yaml | kubectl apply -f -
+```
+
+Without this Secret, **`ClusterIssuer`** will not complete certificate orders.
+
+1. Create the namespace:
+
+   ```bash
+   kubectl apply -f clusters/noble/apps/cert-manager/namespace.yaml
+   ```
+
+2. Install the chart (CRDs included via `values.yaml`):
+
+   ```bash
+   helm repo add jetstack https://charts.jetstack.io
+   helm repo update
+   helm upgrade --install cert-manager jetstack/cert-manager \
+     --namespace cert-manager \
+     --version v1.20.0 \
+     -f clusters/noble/apps/cert-manager/values.yaml \
+     --wait
+   ```
+
+3. Optionally edit **`spec.acme.email`** in both ClusterIssuer manifests (default **`certificates@noble.lab.pcenicni.dev`**) — Let’s Encrypt uses this for expiry and account notices. Do **not** use **`example.com`** (ACME rejects it).
+
+4. Apply ClusterIssuers (staging then prod, or both):
+
+   ```bash
+   kubectl apply -k clusters/noble/apps/cert-manager
+   ```
+
+5. Confirm:
+
+   ```bash
+   kubectl get clusterissuer
+   ```
+
+Use **`cert-manager.io/cluster-issuer: letsencrypt-staging`** on Ingresses while testing; switch to **`letsencrypt-prod`** when ready.
+
+**HTTP-01** is not configured: if the hostname is **proxied** (orange cloud) in Cloudflare, Let’s Encrypt may hit Cloudflare’s edge and get **404** for `/.well-known/acme-challenge/`. DNS-01 avoids that.

clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-prod.yaml

@@ -0,0 +1,23 @@
+# Let's Encrypt production — trusted certificates; respect rate limits.
+# Prefer a real mailbox for expiry notices; this domain is accepted by LE (edit if needed).
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    email: certificates@noble.lab.pcenicni.dev
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-prod-account-key
+    solvers:
+      # DNS-01 — works when public HTTP to Traefik is wrong (e.g. hostname proxied through Cloudflare
+      # returns 404 for /.well-known/acme-challenge). Requires Secret cloudflare-dns-api-token in cert-manager.
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: cloudflare-dns-api-token
+              key: api-token
+        selector:
+          dnsZones:
+            - pcenicni.dev

clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-staging.yaml

@@ -0,0 +1,21 @@
+# Let's Encrypt staging — use for tests (untrusted issuer in browsers).
+# Prefer a real mailbox for expiry notices; this domain is accepted by LE (edit if needed).
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    email: certificates@noble.lab.pcenicni.dev
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-staging-account-key
+    solvers:
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: cloudflare-dns-api-token
+              key: api-token
+        selector:
+          dnsZones:
+            - pcenicni.dev

clusters/noble/bootstrap/cert-manager/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - clusterissuer-letsencrypt-staging.yaml
+  - clusterissuer-letsencrypt-prod.yaml

clusters/noble/bootstrap/cert-manager/namespace.yaml

@@ -0,0 +1,9 @@
+# cert-manager controller + webhook — noble lab
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/audit: baseline
+    pod-security.kubernetes.io/warn: baseline

clusters/noble/bootstrap/cert-manager/values.yaml

@@ -0,0 +1,14 @@
+# cert-manager — noble lab
+#
+# Chart: jetstack/cert-manager — pin version on the helm command (e.g. v1.20.0).
+#
+# kubectl apply -f clusters/noble/apps/cert-manager/namespace.yaml
+# helm repo add jetstack https://charts.jetstack.io
+# helm repo update
+# helm upgrade --install cert-manager jetstack/cert-manager -n cert-manager \
+#   --version v1.20.0 -f clusters/noble/apps/cert-manager/values.yaml --wait
+#
+# kubectl apply -k clusters/noble/apps/cert-manager
+
+crds:
+  enabled: true