These manifests bootstrap the GX10 RKE2 cluster's platform layer for the NUC→GX10 migration. They are direct-applied to the GX10 (its own kubectl) during bootstrap, and live under gx10/ (NOT apps/) so the OLD cluster's bluejay-infra ApplicationSet (whose apps/* generator targets the OLD cluster) does NOT auto-deploy them there. Once ArgoCD is stood up on the GX10, a GX10-only ApplicationSet (apps-gx10/*) will own these.

step-ca-acme.yaml — cert-manager ClusterIssuer (ACME → noc1 step-ca, in-spec caBundle). APPLIED + Ready.
traefik-helmchart.yaml — Traefik v3.6.10 (chart 39.0.5) via the RKE2 HelmChart CRD, LoadBalancer VIP 10.0.57.202 (prod-pool; temp parallel-run VIP — canonical .200 reclaimed at cutover), with externalTrafficPolicy: Local so tenant IP allowlists see client source IP instead of the GX10 node hop. APPLIED.
gitea-ssh-service.yaml — Gitea SSH LoadBalancer service on 10.0.57.206:22 with externalTrafficPolicy: Local; HTTPS Gitea remains behind the Traefik VIP at 10.0.57.202. APPLIED.

cert-manager v1.17.2 was installed separately (upstream static manifest). See docs/ai-agents/gx10-migration-continuation-2026-06-14.md + memory project_gx10_ai_node_2026_06_13.