Refactor noble cluster configurations by removing deprecated Argo CD application management files and transitioning to a streamlined Ansible-driven installation approach. Update kustomization.yaml files to reflect the new structure, ensuring clarity on resource management. Introduce new namespaces and configurations for cert-manager, external-secrets, and logging components, enhancing the overall deployment process. Add detailed README.md documentation for each component to guide users through the setup and management of the noble lab environment.

clusters/noble/bootstrap/external-secrets/README.md

@@ -0,0 +1,60 @@
+# External Secrets Operator (noble)
+
+Syncs secrets from external systems into Kubernetes **Secret** objects via **ExternalSecret** / **ClusterExternalSecret** CRDs.
+
+- **Chart:** `external-secrets/external-secrets` **2.2.0** (app **v2.2.0**)
+- **Namespace:** `external-secrets`
+- **Helm release name:** `external-secrets` (matches the operator **ServiceAccount** name `external-secrets`)
+
+## Install
+
+```bash
+helm repo add external-secrets https://charts.external-secrets.io
+helm repo update
+kubectl apply -f clusters/noble/apps/external-secrets/namespace.yaml
+helm upgrade --install external-secrets external-secrets/external-secrets -n external-secrets \
+  --version 2.2.0 -f clusters/noble/apps/external-secrets/values.yaml --wait
+```
+
+Verify:
+
+```bash
+kubectl -n external-secrets get deploy,pods
+kubectl get crd | grep external-secrets
+```
+
+## Vault `ClusterSecretStore` (after Vault is deployed)
+
+The checklist expects a **Vault**-backed store. Install Vault first (`talos/CLUSTER-BUILD.md` Phase E — Vault on Longhorn + auto-unseal), then:
+
+1. Enable **KV v2** secrets engine and **Kubernetes** auth in Vault; create a **role** (e.g. `external-secrets`) that maps the cluster’s **`external-secrets` / `external-secrets`** service account to a policy that can read the paths you need.
+2. Copy **`examples/vault-cluster-secret-store.yaml`**, set **`spec.provider.vault.server`** to your Vault URL. This repo’s Vault Helm values use **HTTP** on port **8200** (`global.tlsDisable: true`): **`http://vault.vault.svc.cluster.local:8200`**. Use **`https://`** if you enable TLS on the Vault listener.
+3. If Vault uses a **private TLS CA**, configure **`caProvider`** or **`caBundle`** on the Vault provider — see [HashiCorp Vault provider](https://external-secrets.io/latest/provider/hashicorp-vault/). Do not commit private CA material to public git unless intended.
+4. Apply: **`kubectl apply -f …/vault-cluster-secret-store.yaml`**
+5. Confirm the store is ready: **`kubectl describe clustersecretstore vault`**
+
+Example **ExternalSecret** (after the store is healthy):
+
+```yaml
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: demo
+  namespace: default
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: demo-synced
+  data:
+    - secretKey: password
+      remoteRef:
+        key: secret/data/myapp
+        property: password
+```
+
+## Upgrades
+
+Pin the chart version in `values.yaml` header comments; run the same **`helm upgrade --install`** with the new **`--version`** after reviewing [release notes](https://github.com/external-secrets/external-secrets/releases).

clusters/noble/bootstrap/external-secrets/examples/vault-cluster-secret-store.yaml

@@ -0,0 +1,31 @@
+# ClusterSecretStore for HashiCorp Vault (KV v2) using Kubernetes auth.
+#
+# Do not apply until Vault is running, reachable from the cluster, and configured with:
+# - Kubernetes auth at mountPath (default: kubernetes)
+# - A role (below: external-secrets) bound to this service account:
+#     name: external-secrets
+#     namespace: external-secrets
+# - A policy allowing read on the KV path used below (e.g. secret/data/* for path "secret")
+#
+# Adjust server, mountPath, role, and path to match your Vault deployment. If Vault uses TLS
+# with a private CA, set provider.vault.caProvider or caBundle (see README).
+#
+# kubectl apply -f clusters/noble/apps/external-secrets/examples/vault-cluster-secret-store.yaml
+---
+apiVersion: external-secrets.io/v1
+kind: ClusterSecretStore
+metadata:
+  name: vault
+spec:
+  provider:
+    vault:
+      server: "http://vault.vault.svc.cluster.local:8200"
+      path: secret
+      version: v2
+      auth:
+        kubernetes:
+          mountPath: kubernetes
+          role: external-secrets
+          serviceAccountRef:
+            name: external-secrets
+            namespace: external-secrets

clusters/noble/bootstrap/external-secrets/namespace.yaml

@@ -0,0 +1,5 @@
+# External Secrets Operator — apply before Helm.
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: external-secrets

clusters/noble/bootstrap/external-secrets/values.yaml

@@ -0,0 +1,10 @@
+# External Secrets Operator — noble
+#
+# helm repo add external-secrets https://charts.external-secrets.io
+# helm repo update
+# kubectl apply -f clusters/noble/apps/external-secrets/namespace.yaml
+# helm upgrade --install external-secrets external-secrets/external-secrets -n external-secrets \
+#   --version 2.2.0 -f clusters/noble/apps/external-secrets/values.yaml --wait
+#
+# CRDs are installed by the chart (installCRDs: true). Vault ClusterSecretStore: see README + examples/.
+commonLabels: {}