From 1d879c82f9f62ee6a8f14639e321bba60dd2adcb Mon Sep 17 00:00:00 2001
From: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Date: Mon, 27 Apr 2026 12:21:50 +0200
Subject: [PATCH] secrets shuffle

---
 .../argo-mcp}/argocd-mcp-credentials.yaml     |  0
 .../argo-mcp}/argocdmcp-auth-oidc-sealed.yaml |  0
 apps/base/argo-mcp/kustomization.yaml         |  2 ++
 .../base/dot-ai-stack}/dot-ai-secrets.yaml    |  0
 apps/base/dot-ai-stack/kustomization.yaml     |  1 +
 .../forte10x-app-credentials-sealed.yaml      |  0
 apps/base/mcp10x/kustomization.yaml           |  1 +
 apps/base/musicman/kustomization.yaml         |  1 +
 .../base/musicman}/musicman-credentials.yaml  |  0
 apps/base/ts-mcp/kustomization.yaml           |  1 +
 .../base/ts-mcp}/ts-mcp-secrets-sealed.yaml   |  0
 bootstrap.sh                                  |  1 +
 .../base/gitea}/gitea-backup-s3-sealed.yaml   |  0
 .../base/gitea}/gitea-credentials-sealed.yaml |  0
 .../gitea}/gitea-runner-token-sealed.yaml     |  0
 .../base/gitea}/gitea-smtp-secret-sealed.yaml |  0
 infra/base/gitea/kustomization.yaml           |  4 +++
 .../keycloak-credentials-sealed.yaml          |  0
 infra/base/keycloak/kustomization.yaml        |  1 +
 infra/base/renovate/kustomization.yaml        |  1 +
 .../base/renovate}/renovate-env-sealed.yaml   |  0
 .../argocd-forte-helm-secret-sealed.yaml      |  0
 infra/base/sealedsecrets/kustomization.yaml   |  1 +
 infra/base/secrets/kustomization.yaml         |  4 ---
 infra/base/secrets/secrets.yaml               | 30 -------------------
 secrets/base/kustomization.yaml               | 16 ----------
 secrets/overlays/aks-dev/kustomization.yaml   |  4 ---
 secrets/overlays/aks-prod/kustomization.yaml  |  4 ---
 secrets/overlays/eks-dev/kustomization.yaml   |  4 ---
 secrets/overlays/eks-prod/kustomization.yaml  |  4 ---
 secrets/overlays/gke-dev/kustomization.yaml   |  4 ---
 secrets/overlays/gke-prod/kustomization.yaml  |  4 ---
 secrets/overlays/upc-dev/kustomization.yaml   |  4 ---
 secrets/overlays/upc-prod/kustomization.yaml  |  4 ---
 34 files changed, 14 insertions(+), 82 deletions(-)
 rename {secrets/base => apps/base/argo-mcp}/argocd-mcp-credentials.yaml (100%)
 rename {secrets/base => apps/base/argo-mcp}/argocdmcp-auth-oidc-sealed.yaml (100%)
 rename {secrets/base => apps/base/dot-ai-stack}/dot-ai-secrets.yaml (100%)
 rename {secrets/base => apps/base/mcp10x}/forte10x-app-credentials-sealed.yaml (100%)
 rename {secrets/base => apps/base/musicman}/musicman-credentials.yaml (100%)
 rename {secrets/base => apps/base/ts-mcp}/ts-mcp-secrets-sealed.yaml (100%)
 rename {secrets/base => infra/base/gitea}/gitea-backup-s3-sealed.yaml (100%)
 rename {secrets/base => infra/base/gitea}/gitea-credentials-sealed.yaml (100%)
 rename {secrets/base => infra/base/gitea}/gitea-runner-token-sealed.yaml (100%)
 rename {secrets/base => infra/base/gitea}/gitea-smtp-secret-sealed.yaml (100%)
 rename {secrets/base => infra/base/keycloak}/keycloak-credentials-sealed.yaml (100%)
 rename {secrets/base => infra/base/renovate}/renovate-env-sealed.yaml (100%)
 rename {secrets/base => infra/base/sealedsecrets}/argocd-forte-helm-secret-sealed.yaml (100%)
 delete mode 100644 infra/base/secrets/kustomization.yaml
 delete mode 100644 infra/base/secrets/secrets.yaml
 delete mode 100644 secrets/base/kustomization.yaml
 delete mode 100644 secrets/overlays/aks-dev/kustomization.yaml
 delete mode 100644 secrets/overlays/aks-prod/kustomization.yaml
 delete mode 100644 secrets/overlays/eks-dev/kustomization.yaml
 delete mode 100644 secrets/overlays/eks-prod/kustomization.yaml
 delete mode 100644 secrets/overlays/gke-dev/kustomization.yaml
 delete mode 100644 secrets/overlays/gke-prod/kustomization.yaml
 delete mode 100644 secrets/overlays/upc-dev/kustomization.yaml
 delete mode 100644 secrets/overlays/upc-prod/kustomization.yaml

diff --git a/secrets/base/argocd-mcp-credentials.yaml b/apps/base/argo-mcp/argocd-mcp-credentials.yaml
similarity index 100%
rename from secrets/base/argocd-mcp-credentials.yaml
rename to apps/base/argo-mcp/argocd-mcp-credentials.yaml
diff --git a/secrets/base/argocdmcp-auth-oidc-sealed.yaml b/apps/base/argo-mcp/argocdmcp-auth-oidc-sealed.yaml
similarity index 100%
rename from secrets/base/argocdmcp-auth-oidc-sealed.yaml
rename to apps/base/argo-mcp/argocdmcp-auth-oidc-sealed.yaml
diff --git a/apps/base/argo-mcp/kustomization.yaml b/apps/base/argo-mcp/kustomization.yaml
index 3073ad0..0e1bb35 100644
--- a/apps/base/argo-mcp/kustomization.yaml
+++ b/apps/base/argo-mcp/kustomization.yaml
@@ -2,3 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - argo-mcp.yaml
+- argocdmcp-auth-oidc-sealed.yaml
+- argocd-mcp-credentials.yaml
diff --git a/secrets/base/dot-ai-secrets.yaml b/apps/base/dot-ai-stack/dot-ai-secrets.yaml
similarity index 100%
rename from secrets/base/dot-ai-secrets.yaml
rename to apps/base/dot-ai-stack/dot-ai-secrets.yaml
diff --git a/apps/base/dot-ai-stack/kustomization.yaml b/apps/base/dot-ai-stack/kustomization.yaml
index 7a215b2..400e157 100644
--- a/apps/base/dot-ai-stack/kustomization.yaml
+++ b/apps/base/dot-ai-stack/kustomization.yaml
@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - dot-ai-stack.yaml
+- dot-ai-secrets.yaml
diff --git a/secrets/base/forte10x-app-credentials-sealed.yaml b/apps/base/mcp10x/forte10x-app-credentials-sealed.yaml
similarity index 100%
rename from secrets/base/forte10x-app-credentials-sealed.yaml
rename to apps/base/mcp10x/forte10x-app-credentials-sealed.yaml
diff --git a/apps/base/mcp10x/kustomization.yaml b/apps/base/mcp10x/kustomization.yaml
index 7c11608..efda0de 100644
--- a/apps/base/mcp10x/kustomization.yaml
+++ b/apps/base/mcp10x/kustomization.yaml
@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - mcp10x.yaml
+- forte10x-app-credentials-sealed.yaml
diff --git a/apps/base/musicman/kustomization.yaml b/apps/base/musicman/kustomization.yaml
index 9f1b444..83d1a26 100644
--- a/apps/base/musicman/kustomization.yaml
+++ b/apps/base/musicman/kustomization.yaml
@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - musicman.yaml
+- musicman-credentials.yaml
diff --git a/secrets/base/musicman-credentials.yaml b/apps/base/musicman/musicman-credentials.yaml
similarity index 100%
rename from secrets/base/musicman-credentials.yaml
rename to apps/base/musicman/musicman-credentials.yaml
diff --git a/apps/base/ts-mcp/kustomization.yaml b/apps/base/ts-mcp/kustomization.yaml
index 0d75638..4d8206c 100644
--- a/apps/base/ts-mcp/kustomization.yaml
+++ b/apps/base/ts-mcp/kustomization.yaml
@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ts-mcp.yaml
+- ts-mcp-secrets-sealed.yaml
diff --git a/secrets/base/ts-mcp-secrets-sealed.yaml b/apps/base/ts-mcp/ts-mcp-secrets-sealed.yaml
similarity index 100%
rename from secrets/base/ts-mcp-secrets-sealed.yaml
rename to apps/base/ts-mcp/ts-mcp-secrets-sealed.yaml
diff --git a/bootstrap.sh b/bootstrap.sh
index b2a9794..75af6fd 100644
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -28,6 +28,7 @@ Bootstrap()
 Gitea()
 {
     echo "Installing secret..."
+    kubectl apply -f "secrets/"
     kubectl apply -f "private/${CLUSTER}/gitea-repo-main.yaml"
     kubectl apply -f "private/${CLUSTER}/main.key"
 }
diff --git a/secrets/base/gitea-backup-s3-sealed.yaml b/infra/base/gitea/gitea-backup-s3-sealed.yaml
similarity index 100%
rename from secrets/base/gitea-backup-s3-sealed.yaml
rename to infra/base/gitea/gitea-backup-s3-sealed.yaml
diff --git a/secrets/base/gitea-credentials-sealed.yaml b/infra/base/gitea/gitea-credentials-sealed.yaml
similarity index 100%
rename from secrets/base/gitea-credentials-sealed.yaml
rename to infra/base/gitea/gitea-credentials-sealed.yaml
diff --git a/secrets/base/gitea-runner-token-sealed.yaml b/infra/base/gitea/gitea-runner-token-sealed.yaml
similarity index 100%
rename from secrets/base/gitea-runner-token-sealed.yaml
rename to infra/base/gitea/gitea-runner-token-sealed.yaml
diff --git a/secrets/base/gitea-smtp-secret-sealed.yaml b/infra/base/gitea/gitea-smtp-secret-sealed.yaml
similarity index 100%
rename from secrets/base/gitea-smtp-secret-sealed.yaml
rename to infra/base/gitea/gitea-smtp-secret-sealed.yaml
diff --git a/infra/base/gitea/kustomization.yaml b/infra/base/gitea/kustomization.yaml
index 370338b..256f91f 100644
--- a/infra/base/gitea/kustomization.yaml
+++ b/infra/base/gitea/kustomization.yaml
@@ -2,3 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - gitea.yaml
+- gitea-backup-s3-sealed.yaml
+- gitea-credentials-sealed.yaml
+- gitea-runner-token-sealed.yaml
+- gitea-smtp-secret-sealed.yaml
diff --git a/secrets/base/keycloak-credentials-sealed.yaml b/infra/base/keycloak/keycloak-credentials-sealed.yaml
similarity index 100%
rename from secrets/base/keycloak-credentials-sealed.yaml
rename to infra/base/keycloak/keycloak-credentials-sealed.yaml
diff --git a/infra/base/keycloak/kustomization.yaml b/infra/base/keycloak/kustomization.yaml
index 7a0f62b..24f51fe 100644
--- a/infra/base/keycloak/kustomization.yaml
+++ b/infra/base/keycloak/kustomization.yaml
@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - keycloak.yaml
+- keycloak-credentials-sealed.yaml
diff --git a/infra/base/renovate/kustomization.yaml b/infra/base/renovate/kustomization.yaml
index b385840..bafd9d7 100644
--- a/infra/base/renovate/kustomization.yaml
+++ b/infra/base/renovate/kustomization.yaml
@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - renovate.yaml
+- renovate-env-sealed.yaml
diff --git a/secrets/base/renovate-env-sealed.yaml b/infra/base/renovate/renovate-env-sealed.yaml
similarity index 100%
rename from secrets/base/renovate-env-sealed.yaml
rename to infra/base/renovate/renovate-env-sealed.yaml
diff --git a/secrets/base/argocd-forte-helm-secret-sealed.yaml b/infra/base/sealedsecrets/argocd-forte-helm-secret-sealed.yaml
similarity index 100%
rename from secrets/base/argocd-forte-helm-secret-sealed.yaml
rename to infra/base/sealedsecrets/argocd-forte-helm-secret-sealed.yaml
diff --git a/infra/base/sealedsecrets/kustomization.yaml b/infra/base/sealedsecrets/kustomization.yaml
index 520570d..6808461 100644
--- a/infra/base/sealedsecrets/kustomization.yaml
+++ b/infra/base/sealedsecrets/kustomization.yaml
@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - sealedsecrets.yaml
+- argocd-forte-helm-secret-sealed.yaml
diff --git a/infra/base/secrets/kustomization.yaml b/infra/base/secrets/kustomization.yaml
deleted file mode 100644
index b85a05b..0000000
--- a/infra/base/secrets/kustomization.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- secrets.yaml
diff --git a/infra/base/secrets/secrets.yaml b/infra/base/secrets/secrets.yaml
deleted file mode 100644
index 8bb24e9..0000000
--- a/infra/base/secrets/secrets.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: secrets
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "2"
-    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
-    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
-    notifications.argoproj.io/subscribe.on-degraded.slack: ""
-  labels:
-    app.kubernetes.io/name: secrets
-    app.kubernetes.io/part-of: platform
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  source:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    path: secrets/overlays/upc-dev
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: secrets
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-    - CreateNamespace=true
diff --git a/secrets/base/kustomization.yaml b/secrets/base/kustomization.yaml
deleted file mode 100644
index 79a16ae..0000000
--- a/secrets/base/kustomization.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- argocd-forte-helm-secret-sealed.yaml
-- argocd-mcp-credentials.yaml
-- argocdmcp-auth-oidc-sealed.yaml
-- dot-ai-secrets.yaml
-- forte10x-app-credentials-sealed.yaml
-- gitea-backup-s3-sealed.yaml
-- gitea-credentials-sealed.yaml
-- gitea-runner-token-sealed.yaml
-- gitea-smtp-secret-sealed.yaml
-- keycloak-credentials-sealed.yaml
-- musicman-credentials.yaml
-- renovate-env-sealed.yaml
-- ts-mcp-secrets-sealed.yaml
diff --git a/secrets/overlays/aks-dev/kustomization.yaml b/secrets/overlays/aks-dev/kustomization.yaml
deleted file mode 100644
index 4e4f197..0000000
--- a/secrets/overlays/aks-dev/kustomization.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base
diff --git a/secrets/overlays/aks-prod/kustomization.yaml b/secrets/overlays/aks-prod/kustomization.yaml
deleted file mode 100644
index 4e4f197..0000000
--- a/secrets/overlays/aks-prod/kustomization.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base
diff --git a/secrets/overlays/eks-dev/kustomization.yaml b/secrets/overlays/eks-dev/kustomization.yaml
deleted file mode 100644
index 4e4f197..0000000
--- a/secrets/overlays/eks-dev/kustomization.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base
diff --git a/secrets/overlays/eks-prod/kustomization.yaml b/secrets/overlays/eks-prod/kustomization.yaml
deleted file mode 100644
index 4e4f197..0000000
--- a/secrets/overlays/eks-prod/kustomization.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base
diff --git a/secrets/overlays/gke-dev/kustomization.yaml b/secrets/overlays/gke-dev/kustomization.yaml
deleted file mode 100644
index 4e4f197..0000000
--- a/secrets/overlays/gke-dev/kustomization.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base
diff --git a/secrets/overlays/gke-prod/kustomization.yaml b/secrets/overlays/gke-prod/kustomization.yaml
deleted file mode 100644
index 4e4f197..0000000
--- a/secrets/overlays/gke-prod/kustomization.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base
diff --git a/secrets/overlays/upc-dev/kustomization.yaml b/secrets/overlays/upc-dev/kustomization.yaml
deleted file mode 100644
index 4e4f197..0000000
--- a/secrets/overlays/upc-dev/kustomization.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base
diff --git a/secrets/overlays/upc-prod/kustomization.yaml b/secrets/overlays/upc-prod/kustomization.yaml
deleted file mode 100644
index 4e4f197..0000000
--- a/secrets/overlays/upc-prod/kustomization.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base