Stop tracking talos kubeconfig; remove Authentik token from git; add Newt kubeseal example

Remove committed talos/kubeconfig (cluster admin credentials). Ignore talos/kubeconfig at repo root.
Replace hardcoded LDAP outpost token with AUTHENTIK_LDAP_OUTPOST_TOKEN from .env.
Document Sealed Secrets workflow for Newt (kubeseal script + README updates). Clarify Talos secrets use talsecret/SOPS, not Sealed Secrets.

Made-with: Cursor

clusters/noble/apps/sealed-secrets/values.yaml

@@ -8,4 +8,11 @@
 #
 # Client: install kubeseal (same minor as controller — see README).
 # Defaults are sufficient for the lab; override here if you need key renewal, resources, etc.
+#
+# GitOps pattern: create Secrets only via SealedSecret (or External Secrets + Vault).
+# Example (Newt): clusters/noble/apps/sealed-secrets/examples/kubeseal-newt-pangolin-auth.sh
+# Backup the controller's sealing key: kubectl -n sealed-secrets get secret sealed-secrets-key -o yaml
+#
+# Talos cluster secrets (bootstrap token, cluster secret, certs) belong in talhelper talsecret /
+# SOPS — not Sealed Secrets. See talos/README.md.
 commonLabels: {}