Update CLUSTER-BUILD.md to reflect the current state of the Talos cluster, detailing progress through Phase D (observability) and advancements in Phase E (secrets). Include updates on Sealed Secrets, External Secrets Operator, and Vault configurations, along with deployment instructions and next steps for Kubernetes auth and ClusterSecretStore integration. Mark relevant tasks as completed and outline remaining objectives for future phases.

clusters/noble/apps/vault/values.yaml

@@ -0,0 +1,48 @@
+# HashiCorp Vault — noble (standalone, file storage on Longhorn; TLS disabled on listener for in-cluster HTTP).
+#
+# helm repo add hashicorp https://helm.releases.hashicorp.com
+# helm repo update
+# kubectl apply -f clusters/noble/apps/vault/namespace.yaml
+# helm upgrade --install vault hashicorp/vault -n vault \
+#   --version 0.32.0 -f clusters/noble/apps/vault/values.yaml --wait --timeout 15m
+#
+# Post-install: initialize, store unseal key in Secret, apply optional unseal CronJob — see README.md
+#
+global:
+  tlsDisable: true
+
+injector:
+  enabled: true
+
+server:
+  enabled: true
+  dataStorage:
+    enabled: true
+    size: 10Gi
+    storageClass: longhorn
+    accessMode: ReadWriteOnce
+  ha:
+    enabled: false
+  standalone:
+    enabled: true
+    config: |
+      ui = true
+
+      listener "tcp" {
+        tls_disable = 1
+        address = "[::]:8200"
+        cluster_address = "[::]:8201"
+      }
+
+      storage "file" {
+        path = "/vault/data"
+      }
+
+  # Allow pod Ready before init/unseal so Helm --wait succeeds (see Vault /v1/sys/health docs).
+  readinessProbe:
+    enabled: true
+    path: "/v1/sys/health?uninitcode=204&sealedcode=204&standbyok=true"
+    port: 8200
+
+ui:
+  enabled: true