Stop tracking talos kubeconfig; remove Authentik token from git; add Newt kubeseal example

Remove committed talos/kubeconfig (cluster admin credentials). Ignore talos/kubeconfig at repo root.
Replace hardcoded LDAP outpost token with AUTHENTIK_LDAP_OUTPOST_TOKEN from .env.
Document Sealed Secrets workflow for Newt (kubeseal script + README updates). Clarify Talos secrets use talsecret/SOPS, not Sealed Secrets.

Made-with: Cursor

clusters/noble/apps/newt/README.md

@@ -6,7 +6,24 @@ This is the **primary** automation path for **public** hostnames to workloads in
 
 ## 1. Create the Secret
 
-Keys must match `values.yaml` (`PANGOLIN_ENDPOINT`, `NEWT_ID`, `NEWT_SECRET`):
+Keys must match `values.yaml` (`PANGOLIN_ENDPOINT`, `NEWT_ID`, `NEWT_SECRET`).
+
+### Option A — Sealed Secret (safe for GitOps)
+
+With the [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) controller installed (`clusters/noble/apps/sealed-secrets/`), generate a `SealedSecret` from your workstation (rotate credentials in Pangolin first if they were exposed):
+
+```bash
+chmod +x clusters/noble/apps/sealed-secrets/examples/kubeseal-newt-pangolin-auth.sh
+export PANGOLIN_ENDPOINT='https://pangolin.pcenicni.dev'
+export NEWT_ID='YOUR_NEWT_ID'
+export NEWT_SECRET='YOUR_NEWT_SECRET'
+./clusters/noble/apps/sealed-secrets/examples/kubeseal-newt-pangolin-auth.sh > newt-pangolin-auth.sealedsecret.yaml
+kubectl apply -f newt-pangolin-auth.sealedsecret.yaml
+```
+
+Commit only the `.sealedsecret.yaml` file, not plain `Secret` YAML.
+
+### Option B — Imperative Secret (not in git)
 
 ```bash
 kubectl apply -f clusters/noble/apps/newt/namespace.yaml

clusters/noble/apps/sealed-secrets/README.md

@@ -37,6 +37,8 @@ kubectl create secret generic example --from-literal=foo=bar --dry-run=client -o
 
 Commit `example-sealedsecret.yaml`; apply it with `kubectl apply -f`. The controller creates the **Secret** in the same namespace as the **SealedSecret**.
 
+**Noble example:** `examples/kubeseal-newt-pangolin-auth.sh` (Newt / Pangolin tunnel credentials).
+
 ## Backup the sealing key
 
 If the controller’s private key is lost, existing sealed files cannot be decrypted on a new cluster. Back up the key secret after install:

clusters/noble/apps/sealed-secrets/examples/kubeseal-newt-pangolin-auth.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+# Emit a SealedSecret for newt-pangolin-auth (namespace newt).
+# Prerequisites: sealed-secrets controller running; kubeseal client (same minor as controller).
+# Rotate Pangolin/Newt credentials in the UI first if they were exposed, then set env vars and run:
+#
+#   export PANGOLIN_ENDPOINT='https://pangolin.example.com'
+#   export NEWT_ID='...'
+#   export NEWT_SECRET='...'
+#   ./kubeseal-newt-pangolin-auth.sh > newt-pangolin-auth.sealedsecret.yaml
+#   kubectl apply -f newt-pangolin-auth.sealedsecret.yaml
+#
+set -euo pipefail
+kubectl apply -f "$(dirname "$0")/../../newt/namespace.yaml" >/dev/null 2>&1 || true
+kubectl -n newt create secret generic newt-pangolin-auth \
+  --dry-run=client \
+  --from-literal=PANGOLIN_ENDPOINT="${PANGOLIN_ENDPOINT:?}" \
+  --from-literal=NEWT_ID="${NEWT_ID:?}" \
+  --from-literal=NEWT_SECRET="${NEWT_SECRET:?}" \
+  -o yaml | kubeseal -o yaml

clusters/noble/apps/sealed-secrets/values.yaml

@@ -8,4 +8,11 @@
 #
 # Client: install kubeseal (same minor as controller — see README).
 # Defaults are sufficient for the lab; override here if you need key renewal, resources, etc.
+#
+# GitOps pattern: create Secrets only via SealedSecret (or External Secrets + Vault).
+# Example (Newt): clusters/noble/apps/sealed-secrets/examples/kubeseal-newt-pangolin-auth.sh
+# Backup the controller's sealing key: kubectl -n sealed-secrets get secret sealed-secrets-key -o yaml
+#
+# Talos cluster secrets (bootstrap token, cluster secret, certs) belong in talhelper talsecret /
+# SOPS — not Sealed Secrets. See talos/README.md.
 commonLabels: {}