Refactor noble cluster configurations by removing deprecated Argo CD application management files and transitioning to a streamlined Ansible-driven installation approach. Update kustomization.yaml files to reflect the new structure, ensuring clarity on resource management. Introduce new namespaces and configurations for cert-manager, external-secrets, and logging components, enhancing the overall deployment process. Add detailed README.md documentation for each component to guide users through the setup and management of the noble lab environment.

clusters/noble/bootstrap/traefik/README.md

@@ -0,0 +1,33 @@
+# Traefik — noble
+
+**Prerequisites:** **Cilium**, **MetalLB** (pool + L2), nodes **Ready**.
+
+1. Create the namespace (Pod Security **baseline** — Traefik needs more than **restricted**):
+
+   ```bash
+   kubectl apply -f clusters/noble/apps/traefik/namespace.yaml
+   ```
+
+2. Install the chart (**do not** use `--create-namespace` if the namespace already exists):
+
+   ```bash
+   helm repo add traefik https://traefik.github.io/charts
+   helm repo update
+   helm upgrade --install traefik traefik/traefik \
+     --namespace traefik \
+     --version 39.0.6 \
+     -f clusters/noble/apps/traefik/values.yaml \
+     --wait
+   ```
+
+3. Confirm the Service has a pool address. On the **LAN**, **`*.apps.noble.lab.pcenicni.dev`** can resolve to this IP (split horizon / local DNS). **Public** names go through **Pangolin + Newt** (CNAME + API), not ExternalDNS — see **`clusters/noble/apps/newt/README.md`**.
+
+   ```bash
+   kubectl get svc -n traefik traefik
+   ```
+
+   Values pin **`192.168.50.211`** via **`metallb.io/loadBalancerIPs`**. **`192.168.50.210`** stays free for Argo CD.
+
+4. Create **Ingress** resources with **`ingressClassName: traefik`** (or rely on the default class). **TLS:** add **`cert-manager.io/cluster-issuer: letsencrypt-staging`** (or **`letsencrypt-prod`**) and **`tls`** hosts — see **`clusters/noble/apps/cert-manager/README.md`**.
+
+5. **Public DNS:** use **Newt** + Pangolin (**CNAME** at your DNS host + **Integration API** for resources/targets) — **`clusters/noble/apps/newt/README.md`**.

clusters/noble/bootstrap/traefik/namespace.yaml

@@ -0,0 +1,10 @@
+# Traefik controller — apply before Helm (omit --create-namespace on install).
+# Ingress controller needs capabilities beyond "restricted"; use baseline.
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: traefik
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/audit: baseline
+    pod-security.kubernetes.io/warn: baseline

clusters/noble/bootstrap/traefik/values.yaml

@@ -0,0 +1,29 @@
+# Traefik ingress controller — noble lab
+#
+# Chart: traefik/traefik — pin version on the helm command (e.g. 39.0.6).
+# DNS: point *.apps.noble.lab.pcenicni.dev to the LoadBalancer IP below.
+#
+# kubectl apply -f clusters/noble/apps/traefik/namespace.yaml
+# helm repo add traefik https://traefik.github.io/charts
+# helm upgrade --install traefik traefik/traefik -n traefik \
+#   --version 39.0.6 -f clusters/noble/apps/traefik/values.yaml --wait
+
+service:
+  type: LoadBalancer
+  annotations:
+    metallb.io/loadBalancerIPs: 192.168.50.211
+
+ingressClass:
+  enabled: true
+  isDefaultClass: true
+  name: traefik
+
+# Ingress-only; Gateway API objects from the chart are not needed here.
+gateway:
+  enabled: false
+
+gatewayClass:
+  enabled: false
+
+deployment:
+  replicas: 1