Add basicAuth middleware to NOC proxy IngressRoutes

Add bcrypt-based basicAuth (admin/zenith-turret-falcon-umber) to grafana,
prometheus, and cockpit IngressRoutes in noc-proxy namespace. Uses shared
Secret and Middleware, matching the traefik-dashboard-auth pattern.

apps/noc-services/noc-services.yaml

@@ -11,6 +11,27 @@ metadata:
     app.kubernetes.io/part-of: bluejay-infra
 ---
 # ============================================================
+# BasicAuth - shared across all NOC proxy IngressRoutes
+# ============================================================
+apiVersion: v1
+kind: Secret
+metadata:
+  name: noc-proxy-auth
+  namespace: noc-proxy
+type: Opaque
+data:
+  users: YWRtaW46JDJiJDEwJEZjdlVFNWNpNkxvNi5rZ1k5L3hJV2V5M2tvM3VVY1U5YXJaSlQ4N29ZREtCSi5lNkoucXJD
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: noc-proxy-auth
+  namespace: noc-proxy
+spec:
+  basicAuth:
+    secret: noc-proxy-auth
+---
+# ============================================================
 # Grafana - noc1:3000
 # ============================================================
 apiVersion: v1
@@ -61,6 +82,8 @@ spec:
   routes:
     - kind: Rule
       match: Host(`grafana.iamworkin.lan`)
+      middlewares:
+        - name: noc-proxy-auth
       services:
         - name: grafana-external
           port: 3000
@@ -118,6 +141,8 @@ spec:
   routes:
     - kind: Rule
       match: Host(`prometheus.iamworkin.lan`)
+      middlewares:
+        - name: noc-proxy-auth
       services:
         - name: prometheus-external
           port: 9091
@@ -185,6 +210,8 @@ spec:
   routes:
     - kind: Rule
       match: Host(`cockpit.iamworkin.lan`)
+      middlewares:
+        - name: noc-proxy-auth
       services:
         - name: cockpit-external
           port: 9090