feat(noc-services): wire puppetdb.iamworkin.lan through Traefik step-ca cert

apps/noc-services/noc-services.yaml

@@ -219,6 +219,65 @@ spec:
   tls:
     secretName: cockpit-tls
 ---
+# ============================================================
+# PuppetDB Dashboard - noc1:8080 (HTTP, web UI only)
+# Agent-to-PuppetDB mTLS still uses port 8081 directly via Puppet CA
+# (NOT via this proxy). See docs/infrastructure/cert-recovery-2026-04-28.md
+# ============================================================
+apiVersion: v1
+kind: Service
+metadata:
+  name: puppetdb-external
+  namespace: noc-proxy
+spec:
+  ports:
+    - port: 8080
+      targetPort: 8080
+      name: http
+  clusterIP: None
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: puppetdb-external
+  namespace: noc-proxy
+subsets:
+  - addresses:
+      - ip: 10.0.56.10
+    ports:
+      - port: 8080
+        name: http
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: puppetdb-tls
+  namespace: noc-proxy
+spec:
+  secretName: puppetdb-tls
+  issuerRef:
+    name: step-ca-acme
+    kind: ClusterIssuer
+  dnsNames:
+    - puppetdb.iamworkin.lan
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: puppetdb
+  namespace: noc-proxy
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`puppetdb.iamworkin.lan`)
+      services:
+        - name: puppetdb-external
+          port: 8080
+  tls:
+    secretName: puppetdb-tls
+---
 # NetworkPolicy: allow Traefik ingress, allow egress to noc1
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -242,6 +301,8 @@ spec:
       ports:
         - port: 3000
           protocol: TCP
+        - port: 8080
+          protocol: TCP
         - port: 9090
           protocol: TCP
         - port: 9091