Refactor noble cluster configurations by removing deprecated Argo CD application management files and transitioning to a streamlined Ansible-driven installation approach. Update kustomization.yaml files to reflect the new structure, ensuring clarity on resource management. Introduce new namespaces and configurations for cert-manager, external-secrets, and logging components, enhancing the overall deployment process. Add detailed README.md documentation for each component to guide users through the setup and management of the noble lab environment.

clusters/noble/bootstrap/headlamp/README.md

@@ -0,0 +1,35 @@
+# Headlamp (noble)
+
+[Headlamp](https://headlamp.dev/) web UI for the cluster. Exposed on **`https://headlamp.apps.noble.lab.pcenicni.dev`** via **Traefik** + **cert-manager** (`letsencrypt-prod`), same pattern as Grafana.
+
+- **Chart:** `headlamp/headlamp` **0.40.1** (`config.sessionTTL: null` avoids chart/binary mismatch — [issue #4883](https://github.com/kubernetes-sigs/headlamp/issues/4883))
+- **Namespace:** `headlamp`
+
+## Install
+
+```bash
+helm repo add headlamp https://kubernetes-sigs.github.io/headlamp/
+helm repo update
+kubectl apply -f clusters/noble/apps/headlamp/namespace.yaml
+helm upgrade --install headlamp headlamp/headlamp -n headlamp \
+  --version 0.40.1 -f clusters/noble/apps/headlamp/values.yaml --wait --timeout 10m
+```
+
+Sign-in uses a **ServiceAccount token** (Headlamp docs: create a limited SA for day-to-day use). This repo binds the Headlamp workload SA to the built-in **`edit`** ClusterRole (**`clusterRoleBinding.clusterRoleName: edit`** in **`values.yaml`**) — not **`cluster-admin`**. For cluster-scoped admin work, use **`kubectl`** with your admin kubeconfig. Optional **OIDC** in **`config.oidc`** replaces token login for SSO.
+
+## Sign-in token (ServiceAccount `headlamp`)
+
+Use a short-lived token (Kubernetes **1.24+**; requires permission to create **TokenRequests**):
+
+```bash
+export KUBECONFIG=/path/to/talos/kubeconfig   # or your admin kubeconfig
+kubectl -n headlamp create token headlamp --duration=48h
+```
+
+Paste the printed JWT into Headlamp’s token field at **`https://headlamp.apps.noble.lab.pcenicni.dev`**.
+
+To use another duration (cluster `spec.serviceAccount` / admission limits may cap it):
+
+```bash
+kubectl -n headlamp create token headlamp --duration=8760h
+```

clusters/noble/bootstrap/headlamp/namespace.yaml

@@ -0,0 +1,10 @@
+# Headlamp — apply before Helm.
+# Chart pods do not satisfy PSA "restricted" (see install warnings); align with other UIs.
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: headlamp
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged

clusters/noble/bootstrap/headlamp/values.yaml

@@ -0,0 +1,37 @@
+# Headlamp — noble (Kubernetes web UI)
+#
+# helm repo add headlamp https://kubernetes-sigs.github.io/headlamp/
+# helm repo update
+# kubectl apply -f clusters/noble/apps/headlamp/namespace.yaml
+# helm upgrade --install headlamp headlamp/headlamp -n headlamp \
+#   --version 0.40.1 -f clusters/noble/apps/headlamp/values.yaml --wait --timeout 10m
+#
+# DNS: headlamp.apps.noble.lab.pcenicni.dev → Traefik LB (see talos/CLUSTER-BUILD.md).
+# Default chart RBAC is broad — restrict for production (Phase G).
+# Bind Headlamp’s ServiceAccount to the built-in **edit** ClusterRole (not **cluster-admin**).
+# For break-glass cluster-admin, use kubectl with your admin kubeconfig — not Headlamp.
+# If changing **clusterRoleName** on an existing install, Kubernetes forbids mutating **roleRef**:
+#   kubectl delete clusterrolebinding headlamp-admin
+#   helm upgrade … (same command as in the header comments)
+clusterRoleBinding:
+  clusterRoleName: edit
+#
+# Chart 0.40.1 passes -session-ttl but the v0.40.1 binary does not define it — omit the flag:
+# https://github.com/kubernetes-sigs/headlamp/issues/4883
+config:
+  sessionTTL: null
+
+ingress:
+  enabled: true
+  ingressClassName: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  hosts:
+    - host: headlamp.apps.noble.lab.pcenicni.dev
+      paths:
+        - path: /
+          type: Prefix
+  tls:
+    - secretName: headlamp-apps-noble-tls
+      hosts:
+        - headlamp.apps.noble.lab.pcenicni.dev