# Traefik — noble

**Prerequisites:** **Cilium**, **MetalLB** (pool + L2), nodes **Ready**.

1. Create the namespace (Pod Security **baseline** — Traefik needs more than **restricted**):

   ```bash
   kubectl apply -f clusters/noble/bootstrap/traefik/namespace.yaml
   ```

2. Install the chart (**do not** use `--create-namespace` if the namespace already exists):

   ```bash
   helm repo add traefik https://traefik.github.io/charts
   helm repo update
   helm upgrade --install traefik traefik/traefik \
     --namespace traefik \
     --version 39.0.6 \
     -f clusters/noble/bootstrap/traefik/values.yaml \
     --wait
   ```

3. Confirm the Service has a pool address. On the **LAN**, **`*.apps.noble.lab.pcenicni.dev`** can resolve to this IP (split horizon / local DNS). **Public** names go through **Pangolin + Newt** (CNAME + API), not ExternalDNS — see **`clusters/noble/bootstrap/newt/README.md`**.

   ```bash
   kubectl get svc -n traefik traefik
   ```

   Values pin **`192.168.50.211`** via **`metallb.io/loadBalancerIPs`**. **`192.168.50.210`** stays free for Argo CD.

4. Create **Ingress** resources with **`ingressClassName: traefik`** (or rely on the default class). **TLS:** add **`cert-manager.io/cluster-issuer: letsencrypt-staging`** (or **`letsencrypt-prod`**) and **`tls`** hosts — see **`clusters/noble/bootstrap/cert-manager/README.md`**.

5. **Public DNS:** use **Newt** + Pangolin (**CNAME** at your DNS host + **Integration API** for resources/targets) — **`clusters/noble/bootstrap/newt/README.md`**.