From 1c6f18b67c61533e18842565172ce43ed82a2a94 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Tue, 28 Apr 2026 20:38:59 +0200 Subject: [PATCH 01/64] homepage --- README.md | 2 +- bootstrap.sh | 1 - docs/REFERENCE.md | 53 ++++++++++++++ infra/base/homepage/homepage-extra-rbac.yaml | 21 ++++++ .../homepage-widget-credentials-sealed.yaml | 16 ++++ infra/base/homepage/homepage.yaml | 43 +++++++++++ infra/base/homepage/kustomization.yaml | 6 ++ infra/base/kustomization.yaml | 1 + infra/overlays/aks-dev/kustomization.yaml | 10 +++ infra/values/aks-dev/homepage-values.yaml | 15 ++++ infra/values/base/argocd-values.yaml | 6 ++ infra/values/base/gitea-values.yaml | 9 +++ infra/values/base/grafana-values.yaml | 10 +++ infra/values/base/homepage-values.yaml | 73 +++++++++++++++++++ infra/values/base/keycloak-values.yaml | 6 ++ infra/values/upc-dev/databunker-values.yaml | 7 ++ infra/values/upc-dev/homepage-values.yaml | 15 ++++ shared-prompts | 2 +- 18 files changed, 293 insertions(+), 3 deletions(-) create mode 100644 infra/base/homepage/homepage-extra-rbac.yaml create mode 100644 infra/base/homepage/homepage-widget-credentials-sealed.yaml create mode 100644 infra/base/homepage/homepage.yaml create mode 100644 infra/base/homepage/kustomization.yaml create mode 100644 infra/values/aks-dev/homepage-values.yaml create mode 100644 infra/values/base/homepage-values.yaml create mode 100644 infra/values/upc-dev/homepage-values.yaml diff --git a/README.md b/README.md index 198cd80..8b300fe 100644 --- a/README.md +++ b/README.md @@ -57,7 +57,7 @@ This repository contains the complete GitOps configuration for our Kubernetes cl ### What's Inside -- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets +- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets, Homepage (platform dashboard) - **Business Applications**: MCP10X, MusicMan, Dot-AI Stack, ArgoCD MCP - **Policies**: Kyverno security policies for secret management, namespace controls, pod verification - **Monitoring**: Full observability stack with metrics, logs, traces, and alerting diff --git a/bootstrap.sh b/bootstrap.sh index 75af6fd..b2a9794 100644 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -28,7 +28,6 @@ Bootstrap() Gitea() { echo "Installing secret..." - kubectl apply -f "secrets/" kubectl apply -f "private/${CLUSTER}/gitea-repo-main.yaml" kubectl apply -f "private/${CLUSTER}/main.key" } diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md index 524a943..bfa7f46 100644 --- a/docs/REFERENCE.md +++ b/docs/REFERENCE.md @@ -725,6 +725,59 @@ TLS terminates at Traefik; ArgoCD runs in insecure mode behind the proxy. ## Infrastructure Components +### Homepage (Platform Dashboard) + +**Chart**: `jameswynn/homepage` +**Namespace**: `homepage` +**URL**: `https://start.forteapps.net` + +Platform dashboard that auto-discovers deployed apps via Kubernetes service annotations. + +**Discovery mechanism**: Services annotated with `gethomepage.dev/enabled: "true"` appear in the dashboard. Apps not deployed = annotations absent = not shown. Fully dynamic per environment. + +**Annotated services**: +| Service | Namespace | Group | Widget | +|---------|-----------|-------|--------| +| `gitea-http` | `gitea` | DevOps | `gitea` | +| `argocd-server` | `argocd` | DevOps | `argocd` | +| `keycloak` | `keycloak` | Identity | none | +| `grafana` | `monitoring` | Monitoring | `grafana` | +| `karpor-server` | `karpor` | DevOps | none | + +**Adding a new app**: Annotate the app's Service in its Helm values: +```yaml +service: + annotations: + gethomepage.dev/enabled: "true" + gethomepage.dev/name: "My App" + gethomepage.dev/description: "What it does" + gethomepage.dev/group: "GroupName" + gethomepage.dev/icon: "icon-name" # https://github.com/walkxcode/dashboard-icons + gethomepage.dev/href: "https://myapp.forteapps.net" + # Optional live widget: + gethomepage.dev/widget.type: "myapp" + gethomepage.dev/widget.url: "https://myapp.forteapps.net" + # gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_MYAPP_TOKEN}}" +``` + +**Widget API credentials**: Inject via env vars into the Homepage pod: +```yaml +# In homepage-values.yaml per environment +env: +- name: HOMEPAGE_VAR_GRAFANA_TOKEN + valueFrom: + secretKeyRef: + name: homepage-widget-credentials + key: grafana-token +``` +Then reference as `gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GRAFANA_TOKEN}}"`. + +**Values files**: +- `infra/values/base/homepage-values.yaml` — RBAC, kubernetes mode, layout +- `infra/values/{env}/homepage-values.yaml` — hostname per environment + +--- + ### Traefik **Chart**: `traefik/traefik` diff --git a/infra/base/homepage/homepage-extra-rbac.yaml b/infra/base/homepage/homepage-extra-rbac.yaml new file mode 100644 index 0000000..1549ab3 --- /dev/null +++ b/infra/base/homepage/homepage-extra-rbac.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: homepage-services-reader +rules: +- apiGroups: [""] + resources: ["services"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: homepage-services-reader +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: homepage-services-reader +subjects: +- kind: ServiceAccount + name: homepage + namespace: homepage diff --git a/infra/base/homepage/homepage-widget-credentials-sealed.yaml b/infra/base/homepage/homepage-widget-credentials-sealed.yaml new file mode 100644 index 0000000..3ab5e63 --- /dev/null +++ b/infra/base/homepage/homepage-widget-credentials-sealed.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: homepage-widget-credentials + namespace: homepage +spec: + encryptedData: + HOMEPAGE_VAR_GITEA_TOKEN: AgAVN1C931EQpn+sodr3CpjlhORfJVTW8aUr+pGZQb+65Pb8QLGeVGVa7Jv60gDJUX3r+93/jMrEbCOeDL6I4qCz/V35wMCxFZLnXIdkmto0W4MKt6cK8To1/OP7EhQJOGBlSuOFsrwoy+HDtvLIqmyF0nrxhTusm9/NHrw+gCVwSTPhiAX1MCuSOSRWpbXvyNphW8j7aqUaV6ixDt424Fe4alEIShYELcS3EX/VPgsf2p2bhvBRCQOh3LEprkuxSFMuPfCBk06TPTbIN4saNVm0Ke0zW/pxkVNSiIxEnKjOmpPJtacsfWN7du+nQbx276G2qvWrf+iawJVq0Z/SLikA/NUFBL6EjSRfgE3cSOri8sbxsd0AycsFGyp98EM29wE+WOQl52M/lwl02EmCivqkICSO7Jp9pM1ScbmRMa5vcnupsGbVDxhRKLqxhAskt/BXDkRzvHN31gH3YmelES3JuqNMHV0urFxmX2oOX9Pxbtv63csc+zhy1Ui5aoex7TPnLdk7kYLSAE2MSrzT6wHvVhBC5kNnDYVrLehvJrT+eNh0MOLx2wkuJmIOxRAGUyNi5DfDnP6qnvj2aefEymLuOXAIUXH8DbeBtrjsd74HX2hhIfBlPkXvhJR3ks7i5RXjK2/YYHkgJ+nJoW80S9N7ciaRy103g74TNJZt6QzzL5Vb80qZ6yQOD4G081KmTLDmhHjJVIIv9M3nLh2s0IeBV3/Z5qHZmtjN7sSaKAn4MIr5FaH9quhx + HOMEPAGE_VAR_GRAFANA_TOKEN: AgBloBlOlP+R/4VizE1CGpj0wyiwU14BemAnuUpld7OvOGc67dwfDPyponkQXjAZg3UU2cZ70A51WUAuVlAr+25Ktlf/FW2OBqj+1BJOCqMMyu+kv026yjX2aB8dKGzlTxgF8aji+j1mC8vP3vvmgI4Zf2HQAH7uFwLfeo8+QnV5EyhcExSS0xDne+VtOP9jNXbPRayry0DdyRVtaeKAiZacO+45oAJWszWOwmoMTg9FZQkLjER6Q0tyI6NnoNObsFCnh56chZTdzBOYtmPnwld1bP2FjoJDqn8AfRwbPTIj7t0eFP7WLUO7GQKpxVl+pFwJLb5xCOw2+HNtp1BhNCu7icuc0P88IlvwzkbN0lXJbYigVOzyjEo8f/al1DXPM4WaB/Nqmr7Mtt8KTRh2WMVTgiX5jsu25D0rGDvY9gqfBBqswkRhCLsG0v0EN32zXj1/52KYdmB7pk/+2lMwSaGMS11MOenHeU1Z95fGxm9f3EGF0E8xlFr4FowgsNwr+tJQqpM0bT/4mZnaQbGWtKPFizMtsfQFm+rHFcNCrGaOuecslmiIJs8lTm18KlrncsGfxNS64tVXk+LvydU0rwybvpg2rQjEWtAl1IQsaaiz96OAlYxxK1MGxN7KE6F8R4kfnWTZ5Fs1KMmd/DOIVBXyCbqXxk8pbekmaIeNSfv92JNZ0QNJWsBa2vgQ24WI2pb4XiR0BvtLpt3BVlZUcSK92SzUblWmYWVMwHYCJkEeEUV1PhYEmyiN+V/Kq5Qb + template: + metadata: + creationTimestamp: null + name: homepage-widget-credentials + namespace: homepage diff --git a/infra/base/homepage/homepage.yaml b/infra/base/homepage/homepage.yaml new file mode 100644 index 0000000..5caf146 --- /dev/null +++ b/infra/base/homepage/homepage.yaml @@ -0,0 +1,43 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: homepage + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "3" + labels: + app.kubernetes.io/name: homepage + app.kubernetes.io/part-of: platform + app.kubernetes.io/managed-by: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + + sources: + - repoURL: https://jameswynn.github.io/helm-charts + chart: homepage + targetRevision: "2.1.0" + helm: + releaseName: homepage + valueFiles: + - $values/infra/values/base/homepage-values.yaml + - $values/infra/values/upc-dev/homepage-values.yaml + + - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git + targetRevision: HEAD + ref: values + + destination: + server: https://kubernetes.default.svc + namespace: homepage + + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: false + syncOptions: + - CreateNamespace=true + - Validate=true + - ServerSideApply=true diff --git a/infra/base/homepage/kustomization.yaml b/infra/base/homepage/kustomization.yaml new file mode 100644 index 0000000..d2c23da --- /dev/null +++ b/infra/base/homepage/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- homepage.yaml +- homepage-widget-credentials-sealed.yaml +- homepage-extra-rbac.yaml diff --git a/infra/base/kustomization.yaml b/infra/base/kustomization.yaml index 1f216f1..7c18dc8 100644 --- a/infra/base/kustomization.yaml +++ b/infra/base/kustomization.yaml @@ -21,3 +21,4 @@ resources: - grafana-dashboards - karpor - databunker +- homepage diff --git a/infra/overlays/aks-dev/kustomization.yaml b/infra/overlays/aks-dev/kustomization.yaml index 60edc78..9e7fa41 100644 --- a/infra/overlays/aks-dev/kustomization.yaml +++ b/infra/overlays/aks-dev/kustomization.yaml @@ -13,9 +13,19 @@ resources: - ../../base/prometheus - ../../base/sealedsecrets - ../../base/tempo +- ../../base/homepage - ../../base/traefik-application patches: +# Homepage: swap upc-dev → aks-dev +- target: + kind: Application + name: homepage + patch: | + - op: replace + path: /spec/sources/0/helm/valueFiles/1 + value: $values/infra/values/aks-dev/homepage-values.yaml + # Traefik: swap upc-dev → aks-dev - target: kind: Application diff --git a/infra/values/aks-dev/homepage-values.yaml b/infra/values/aks-dev/homepage-values.yaml new file mode 100644 index 0000000..101157e --- /dev/null +++ b/infra/values/aks-dev/homepage-values.yaml @@ -0,0 +1,15 @@ +ingress: + main: + enabled: true + ingressClassName: traefik + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: start.forteapps.net + paths: + - path: / + pathType: Prefix + tls: + - secretName: homepage-tls + hosts: + - start.forteapps.net diff --git a/infra/values/base/argocd-values.yaml b/infra/values/base/argocd-values.yaml index 662812b..ddd6962 100644 --- a/infra/values/base/argocd-values.yaml +++ b/infra/values/base/argocd-values.yaml @@ -35,6 +35,12 @@ server: ingressClassName: traefik annotations: cert-manager.io/cluster-issuer: letsencrypt-prod + gethomepage.dev/enabled: "true" + gethomepage.dev/name: "ArgoCD" + gethomepage.dev/description: "GitOps continuous delivery" + gethomepage.dev/group: "DevOps" + gethomepage.dev/icon: "argo-cd" + gethomepage.dev/href: "https://argocd.forteapps.net" tls: true extraArgs: - --insecure diff --git a/infra/values/base/gitea-values.yaml b/infra/values/base/gitea-values.yaml index 619f779..e322a4b 100644 --- a/infra/values/base/gitea-values.yaml +++ b/infra/values/base/gitea-values.yaml @@ -114,6 +114,15 @@ ingress: className: traefik annotations: cert-manager.io/cluster-issuer: letsencrypt-prod + gethomepage.dev/enabled: "true" + gethomepage.dev/name: "Gitea" + gethomepage.dev/description: "Git hosting & CI/CD" + gethomepage.dev/group: "DevOps" + gethomepage.dev/icon: "gitea" + gethomepage.dev/href: "https://git.forteapps.net" + gethomepage.dev/widget.type: "gitea" + gethomepage.dev/widget.url: "https://git.forteapps.net" + gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GITEA_TOKEN}}" hosts: - host: git.forteapps.net paths: diff --git a/infra/values/base/grafana-values.yaml b/infra/values/base/grafana-values.yaml index 81e2dbf..9d229f5 100644 --- a/infra/values/base/grafana-values.yaml +++ b/infra/values/base/grafana-values.yaml @@ -3,11 +3,21 @@ ingress: ingressClassName: traefik annotations: cert-manager.io/cluster-issuer: letsencrypt-prod + gethomepage.dev/enabled: "true" + gethomepage.dev/name: "Grafana" + gethomepage.dev/description: "Metrics & observability dashboards" + gethomepage.dev/group: "Monitoring" + gethomepage.dev/icon: "grafana" + gethomepage.dev/href: "https://grafana.forteapps.net" tls: - secretName: grafana-tls hosts: - grafana.forteapps.net +persistence: + enabled: true + size: 1Gi + resources: requests: cpu: 50m diff --git a/infra/values/base/homepage-values.yaml b/infra/values/base/homepage-values.yaml new file mode 100644 index 0000000..22066ed --- /dev/null +++ b/infra/values/base/homepage-values.yaml @@ -0,0 +1,73 @@ +# Homepage Helm Values +# Chart: jameswynn/homepage — https://gethomepage.dev +# Discovery: K8s service annotations (gethomepage.dev/*) +# Each deployed app annotates its own Service — apps not deployed = not visible. + +# RBAC ClusterRole — required for cluster-wide service annotation scanning +enableRbac: true + +serviceAccount: + create: true + name: homepage + +config: + # Scan all namespaces for services with gethomepage.dev/enabled: "true" + kubernetes: + mode: cluster + traefik: true + + settings: + title: "Forte Platform" + headerStyle: clean + layout: + Apps: + style: row + columns: 3 + Identity: + style: row + columns: 2 + DevOps: + style: row + columns: 2 + Monitoring: + style: row + columns: 1 + + # Top-of-page cluster overview widget + widgets: + - kubernetes: + cluster: + show: true + cpu: true + memory: true + showLabel: true + label: "Cluster" + nodes: + show: true + cpu: true + memory: true + showLabel: true + # In-cluster entries come from K8s service annotations. + # External (out-of-cluster) services are listed here statically. + bookmarks: [] + services: + - Apps: + - Forte Feedback: + href: https://feedback.forteapps.net + description: Fortes internal feedback app + icon: forte + +resources: + requests: + cpu: 10m + memory: 128Mi + limits: + cpu: 100m + memory: 256Mi + +env: +- name: HOMEPAGE_ALLOWED_HOSTS + value: start.forteapps.net +envFrom: +- secretRef: + name: homepage-widget-credentials diff --git a/infra/values/base/keycloak-values.yaml b/infra/values/base/keycloak-values.yaml index 109d14d..bfa2b2f 100644 --- a/infra/values/base/keycloak-values.yaml +++ b/infra/values/base/keycloak-values.yaml @@ -18,6 +18,12 @@ ingress: ingressClassName: traefik annotations: cert-manager.io/cluster-issuer: letsencrypt-prod + gethomepage.dev/enabled: "true" + gethomepage.dev/name: "Keycloak" + gethomepage.dev/description: "Identity & access management" + gethomepage.dev/group: "Identity" + gethomepage.dev/icon: "keycloak" + gethomepage.dev/href: "https://id.forteapps.net" metrics: enabled: true diff --git a/infra/values/upc-dev/databunker-values.yaml b/infra/values/upc-dev/databunker-values.yaml index ab60a39..fcbda4e 100644 --- a/infra/values/upc-dev/databunker-values.yaml +++ b/infra/values/upc-dev/databunker-values.yaml @@ -1,3 +1,10 @@ ingress: enabled: true host: databunker.forteapps.net + annotations: + gethomepage.dev/enabled: "true" + gethomepage.dev/name: "Databunker" + gethomepage.dev/description: "Secure Database for PII and PCI Records" + gethomepage.dev/group: "Identity" + gethomepage.dev/icon: "adminer" + gethomepage.dev/href: "https://databunker.forteapps.net" diff --git a/infra/values/upc-dev/homepage-values.yaml b/infra/values/upc-dev/homepage-values.yaml new file mode 100644 index 0000000..101157e --- /dev/null +++ b/infra/values/upc-dev/homepage-values.yaml @@ -0,0 +1,15 @@ +ingress: + main: + enabled: true + ingressClassName: traefik + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: start.forteapps.net + paths: + - path: / + pathType: Prefix + tls: + - secretName: homepage-tls + hosts: + - start.forteapps.net diff --git a/shared-prompts b/shared-prompts index c5bc55b..b79858d 160000 --- a/shared-prompts +++ b/shared-prompts @@ -1 +1 @@ -Subproject commit c5bc55b3d7bef7c2430bf9cb07b51c99055c85da +Subproject commit b79858d73c292e8aea2f1213abf3ad205b720a2a From 5a2f9a1b8866b0cffb39d84373ad291544703f7b Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Tue, 28 Apr 2026 19:27:38 +0000 Subject: [PATCH 02/64] Update infra/values/base/keycloak-values.yaml Signed-off-by: Danijel Simeunovic --- infra/values/base/keycloak-values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/values/base/keycloak-values.yaml b/infra/values/base/keycloak-values.yaml index bfa2b2f..c88510a 100644 --- a/infra/values/base/keycloak-values.yaml +++ b/infra/values/base/keycloak-values.yaml @@ -23,7 +23,7 @@ ingress: gethomepage.dev/description: "Identity & access management" gethomepage.dev/group: "Identity" gethomepage.dev/icon: "keycloak" - gethomepage.dev/href: "https://id.forteapps.net" + gethomepage.dev/href: "https://id.forteapps.net/admin/forte-test/console/" metrics: enabled: true From db6afaf180db126a053b6df8d6a8d12b43fb2478 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Tue, 28 Apr 2026 22:44:57 +0200 Subject: [PATCH 03/64] vault Co-authored-by: Copilot --- infra/base/kustomization.yaml | 1 + infra/base/vault/kustomization.yaml | 4 ++ infra/base/vault/vault.yaml | 43 +++++++++++++++++++++ infra/values/base/homepage-values.yaml | 4 +- infra/values/base/keycloak-values.yaml | 2 +- infra/values/base/vault-values.yaml | 36 +++++++++++++++++ infra/values/upc-dev/databunker-values.yaml | 2 +- infra/values/upc-dev/vault-values.yaml | 9 +++++ 8 files changed, 97 insertions(+), 4 deletions(-) create mode 100644 infra/base/vault/kustomization.yaml create mode 100644 infra/base/vault/vault.yaml create mode 100644 infra/values/base/vault-values.yaml create mode 100644 infra/values/upc-dev/vault-values.yaml diff --git a/infra/base/kustomization.yaml b/infra/base/kustomization.yaml index 7c18dc8..6e802ef 100644 --- a/infra/base/kustomization.yaml +++ b/infra/base/kustomization.yaml @@ -22,3 +22,4 @@ resources: - karpor - databunker - homepage +- vault diff --git a/infra/base/vault/kustomization.yaml b/infra/base/vault/kustomization.yaml new file mode 100644 index 0000000..9d00240 --- /dev/null +++ b/infra/base/vault/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- vault.yaml diff --git a/infra/base/vault/vault.yaml b/infra/base/vault/vault.yaml new file mode 100644 index 0000000..1e59103 --- /dev/null +++ b/infra/base/vault/vault.yaml @@ -0,0 +1,43 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: vault + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "1" + labels: + app.kubernetes.io/name: vault + app.kubernetes.io/part-of: security + app.kubernetes.io/managed-by: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + + sources: + - repoURL: https://helm.releases.hashicorp.com + chart: vault + targetRevision: "0.32.0" + helm: + releaseName: vault + valueFiles: + - $values/infra/values/base/vault-values.yaml + - $values/infra/values/upc-dev/vault-values.yaml + + - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git + targetRevision: HEAD + ref: values + + destination: + server: https://kubernetes.default.svc + namespace: vault + + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: false + syncOptions: + - CreateNamespace=true + - Validate=true + - ServerSideApply=true diff --git a/infra/values/base/homepage-values.yaml b/infra/values/base/homepage-values.yaml index 22066ed..6df2480 100644 --- a/infra/values/base/homepage-values.yaml +++ b/infra/values/base/homepage-values.yaml @@ -23,9 +23,9 @@ config: Apps: style: row columns: 3 - Identity: + Security: style: row - columns: 2 + columns: 3 DevOps: style: row columns: 2 diff --git a/infra/values/base/keycloak-values.yaml b/infra/values/base/keycloak-values.yaml index c88510a..fbef335 100644 --- a/infra/values/base/keycloak-values.yaml +++ b/infra/values/base/keycloak-values.yaml @@ -21,7 +21,7 @@ ingress: gethomepage.dev/enabled: "true" gethomepage.dev/name: "Keycloak" gethomepage.dev/description: "Identity & access management" - gethomepage.dev/group: "Identity" + gethomepage.dev/group: "Security" gethomepage.dev/icon: "keycloak" gethomepage.dev/href: "https://id.forteapps.net/admin/forte-test/console/" diff --git a/infra/values/base/vault-values.yaml b/infra/values/base/vault-values.yaml new file mode 100644 index 0000000..0141ef2 --- /dev/null +++ b/infra/values/base/vault-values.yaml @@ -0,0 +1,36 @@ +# HashiCorp Vault Helm Chart Values +# Chart: hashicorp/vault v0.32.0 + +server: + standalone: + enabled: true + + dataStorage: + enabled: true + size: 5Gi + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 250m + memory: 256Mi + + ingress: + enabled: true + ingressClassName: traefik + pathType: Prefix + activeService: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + gethomepage.dev/enabled: "true" + gethomepage.dev/name: "Vault" + gethomepage.dev/description: "Secrets management" + gethomepage.dev/group: "Security" + gethomepage.dev/icon: "vault" + gethomepage.dev/href: "https://vault.forteapps.net" + +ui: + enabled: true + serviceType: ClusterIP diff --git a/infra/values/upc-dev/databunker-values.yaml b/infra/values/upc-dev/databunker-values.yaml index fcbda4e..38734ef 100644 --- a/infra/values/upc-dev/databunker-values.yaml +++ b/infra/values/upc-dev/databunker-values.yaml @@ -5,6 +5,6 @@ ingress: gethomepage.dev/enabled: "true" gethomepage.dev/name: "Databunker" gethomepage.dev/description: "Secure Database for PII and PCI Records" - gethomepage.dev/group: "Identity" + gethomepage.dev/group: "Security" gethomepage.dev/icon: "adminer" gethomepage.dev/href: "https://databunker.forteapps.net" diff --git a/infra/values/upc-dev/vault-values.yaml b/infra/values/upc-dev/vault-values.yaml new file mode 100644 index 0000000..f6755f9 --- /dev/null +++ b/infra/values/upc-dev/vault-values.yaml @@ -0,0 +1,9 @@ +server: + ingress: + hosts: + - host: vault.forteapps.net + paths: [] + tls: + - secretName: vault-tls + hosts: + - vault.forteapps.net From 308755a4b39ea808f6c1b35b69b449c3a3d04ddd Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Tue, 28 Apr 2026 23:02:13 +0200 Subject: [PATCH 04/64] layout --- infra/values/base/homepage-values.yaml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/infra/values/base/homepage-values.yaml b/infra/values/base/homepage-values.yaml index 6df2480..905c565 100644 --- a/infra/values/base/homepage-values.yaml +++ b/infra/values/base/homepage-values.yaml @@ -26,12 +26,15 @@ config: Security: style: row columns: 3 - DevOps: + Tools: style: row columns: 2 - Monitoring: - style: row - columns: 1 + DevOps: + style: column + rows: 2 + Monitoring: + style: column + rows: 1 # Top-of-page cluster overview widget widgets: From b3b3edf82c318afede0486781f3140fda2414eb9 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Tue, 28 Apr 2026 23:03:15 +0200 Subject: [PATCH 05/64] no header --- infra/values/base/homepage-values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/infra/values/base/homepage-values.yaml b/infra/values/base/homepage-values.yaml index 905c565..5dc31d5 100644 --- a/infra/values/base/homepage-values.yaml +++ b/infra/values/base/homepage-values.yaml @@ -28,6 +28,7 @@ config: columns: 3 Tools: style: row + header: false columns: 2 DevOps: style: column From a088425b707f0846cee7f0a7952b75a716110665 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Wed, 29 Apr 2026 10:04:20 +0200 Subject: [PATCH 06/64] homepage config --- infra/values/base/homepage-values.yaml | 9 +--- infra/values/upc-dev/homepage-values.yaml | 50 +++++++++++++++++++++++ 2 files changed, 52 insertions(+), 7 deletions(-) diff --git a/infra/values/base/homepage-values.yaml b/infra/values/base/homepage-values.yaml index 5dc31d5..4ab2dce 100644 --- a/infra/values/base/homepage-values.yaml +++ b/infra/values/base/homepage-values.yaml @@ -17,7 +17,7 @@ config: traefik: true settings: - title: "Forte Platform" + title: "Platform" headerStyle: clean layout: Apps: @@ -54,12 +54,7 @@ config: # In-cluster entries come from K8s service annotations. # External (out-of-cluster) services are listed here statically. bookmarks: [] - services: - - Apps: - - Forte Feedback: - href: https://feedback.forteapps.net - description: Fortes internal feedback app - icon: forte + services: [] resources: requests: diff --git a/infra/values/upc-dev/homepage-values.yaml b/infra/values/upc-dev/homepage-values.yaml index 101157e..ccc70f5 100644 --- a/infra/values/upc-dev/homepage-values.yaml +++ b/infra/values/upc-dev/homepage-values.yaml @@ -13,3 +13,53 @@ ingress: - secretName: homepage-tls hosts: - start.forteapps.net + +config: + settings: + title: "Forte Platform" + headerStyle: clean + layout: + Apps: + style: row + columns: 4 + Security: + style: row + columns: 3 + Tools: + style: row + header: false + columns: 2 + DevOps: + style: column + rows: 2 + Monitoring: + style: column + rows: 1 + + # Top-of-page cluster overview widget + widgets: + - kubernetes: + cluster: + show: true + cpu: true + memory: true + showLabel: true + label: "Cluster" + nodes: + show: true + cpu: true + memory: true + showLabel: true + # In-cluster entries come from K8s service annotations. + # External (out-of-cluster) services are listed here statically. + bookmarks: [] + services: + - Apps: + - Forte Benken: + href: https://benken.hackathon.forteapps.net + description: Teknisk kompetanse fra offentlige anbud + icon: forte + - Forte Feedback: + href: https://feedback.forteapps.net + description: Fortes internal feedback app + icon: forte From 31fb476a7858977c24d2e8cc0f94c76f814bbf96 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Wed, 29 Apr 2026 10:06:02 +0200 Subject: [PATCH 07/64] row --- infra/values/upc-dev/homepage-values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/values/upc-dev/homepage-values.yaml b/infra/values/upc-dev/homepage-values.yaml index ccc70f5..a622d68 100644 --- a/infra/values/upc-dev/homepage-values.yaml +++ b/infra/values/upc-dev/homepage-values.yaml @@ -21,7 +21,7 @@ config: layout: Apps: style: row - columns: 4 + columns: 2 Security: style: row columns: 3 From 5a459d486e41677096ac992c2f57598192e21f7e Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Wed, 29 Apr 2026 10:53:35 +0200 Subject: [PATCH 08/64] dbunk-demo --- .../upc-dev/dbunk-demo/dbunk-demo.yaml | 47 +++++++++++++++++++ .../upc-dev/dbunk-demo/kustomization.yaml | 4 ++ apps/overlays/upc-dev/kustomization.yaml | 1 + 3 files changed, 52 insertions(+) create mode 100644 apps/overlays/upc-dev/dbunk-demo/dbunk-demo.yaml create mode 100644 apps/overlays/upc-dev/dbunk-demo/kustomization.yaml diff --git a/apps/overlays/upc-dev/dbunk-demo/dbunk-demo.yaml b/apps/overlays/upc-dev/dbunk-demo/dbunk-demo.yaml new file mode 100644 index 0000000..a2743c4 --- /dev/null +++ b/apps/overlays/upc-dev/dbunk-demo/dbunk-demo.yaml @@ -0,0 +1,47 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: dbunk-demo + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "12" + labels: + app.kubernetes.io/name: dbunk-demo + app.kubernetes.io/part-of: apps + app.kubernetes.io/managed-by: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + + sources: + - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git + path: forteapp + targetRevision: HEAD + helm: + valueFiles: + - $values/dbunk-demo/values.yaml + + - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git + targetRevision: HEAD + ref: values + + destination: + server: https://kubernetes.default.svc + namespace: dbunk-demo + + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: false + syncOptions: + - CreateNamespace=true + - Validate=true + - ServerSideApply=true + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m diff --git a/apps/overlays/upc-dev/dbunk-demo/kustomization.yaml b/apps/overlays/upc-dev/dbunk-demo/kustomization.yaml new file mode 100644 index 0000000..7bd806f --- /dev/null +++ b/apps/overlays/upc-dev/dbunk-demo/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- dbunk-demo.yaml diff --git a/apps/overlays/upc-dev/kustomization.yaml b/apps/overlays/upc-dev/kustomization.yaml index 1895aac..98e6a19 100644 --- a/apps/overlays/upc-dev/kustomization.yaml +++ b/apps/overlays/upc-dev/kustomization.yaml @@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base +- dbunk-demo # No patches needed — base already has "upc-dev" paths # upc-dev is the default/base cluster From f19f7c92378540ef9bb247e005ba0db73a15866f Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Wed, 29 Apr 2026 12:07:04 +0200 Subject: [PATCH 09/64] icon --- infra/values/upc-dev/databunker-values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/values/upc-dev/databunker-values.yaml b/infra/values/upc-dev/databunker-values.yaml index 38734ef..c126a70 100644 --- a/infra/values/upc-dev/databunker-values.yaml +++ b/infra/values/upc-dev/databunker-values.yaml @@ -6,5 +6,5 @@ ingress: gethomepage.dev/name: "Databunker" gethomepage.dev/description: "Secure Database for PII and PCI Records" gethomepage.dev/group: "Security" - gethomepage.dev/icon: "adminer" + gethomepage.dev/icon: "double-take" gethomepage.dev/href: "https://databunker.forteapps.net" From 6a9eadbde8810ededeef3f3df31e6dd46e8ee70d Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Wed, 29 Apr 2026 12:50:10 +0200 Subject: [PATCH 10/64] vault ignore diffs --- infra/base/vault/vault.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/infra/base/vault/vault.yaml b/infra/base/vault/vault.yaml index 1e59103..dfeea4e 100644 --- a/infra/base/vault/vault.yaml +++ b/infra/base/vault/vault.yaml @@ -41,3 +41,9 @@ spec: - CreateNamespace=true - Validate=true - ServerSideApply=true + + ignoreDifferences: + - group: apps + kind: StatefulSet + jsonPointers: + - /spec/volumeClaimTemplates From 4ca9039686daa5e0f73561f4b83cc24ade6b02c2 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Wed, 29 Apr 2026 12:54:07 +0200 Subject: [PATCH 11/64] kpolicy --- infra/base/kyverno-policies/kyverno-policies.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/infra/base/kyverno-policies/kyverno-policies.yaml b/infra/base/kyverno-policies/kyverno-policies.yaml index e00e063..ab0a25f 100644 --- a/infra/base/kyverno-policies/kyverno-policies.yaml +++ b/infra/base/kyverno-policies/kyverno-policies.yaml @@ -27,7 +27,6 @@ spec: automated: prune: true selfHeal: true - allowEmpty: false syncOptions: - CreateNamespace=true - Validate=true From 8b743efa436aee43a62d2f1aee607c24a109eee4 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Wed, 13 May 2026 23:13:09 +0200 Subject: [PATCH 12/64] KC fix --- infra/values/base/keycloak-values.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/infra/values/base/keycloak-values.yaml b/infra/values/base/keycloak-values.yaml index fbef335..95dfc29 100644 --- a/infra/values/base/keycloak-values.yaml +++ b/infra/values/base/keycloak-values.yaml @@ -55,6 +55,9 @@ postgresql: size: 8Gi keycloakConfigCli: + extraEnvVars: + - name: IMPORT_MANAGED_PROTOCOL_MAPPER + value: "no-delete" enabled: true image: repository: bitnamilegacy/keycloak-config-cli @@ -72,7 +75,7 @@ keycloakConfigCli: "clients": [ { "clientId": "gitea", - "name": "Gitea", + "name": "Forte Git", "enabled": true, "protocol": "openid-connect", "clientAuthenticatorType": "client-secret", From fff95d98a54205c69d9d824964d6e0c87b10e40a Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Wed, 13 May 2026 23:15:28 +0200 Subject: [PATCH 13/64] remove protocol mappers --- infra/values/base/keycloak-values.yaml | 51 ++------------------------ 1 file changed, 3 insertions(+), 48 deletions(-) diff --git a/infra/values/base/keycloak-values.yaml b/infra/values/base/keycloak-values.yaml index 95dfc29..5e5432e 100644 --- a/infra/values/base/keycloak-values.yaml +++ b/infra/values/base/keycloak-values.yaml @@ -90,22 +90,7 @@ keycloakConfigCli: "k8s.secret.name": "gitea-oidc-credentials", "k8s.secret.client-id-key": "key", "k8s.secret.client-secret-key": "secret" - }, - "protocolMappers": [ - { - "name": "email_verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-hardcoded-claim-mapper", - "config": { - "claim.name": "email_verified", - "claim.value": "true", - "jsonType.label": "boolean", - "id.token.claim": "true", - "access.token.claim": "true", - "userinfo.token.claim": "true" - } - } - ] + } }, { "clientId": "grafana", @@ -124,23 +109,7 @@ keycloakConfigCli: "k8s.secret.name": "grafana-oidc-credentials", "k8s.secret.client-id-key": "client-id", "k8s.secret.client-secret-key": "client-secret" - }, - "protocolMappers": [ - { - "name": "client-roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-client-role-mapper", - "config": { - "claim.name": "resource_access.grafana.roles", - "jsonType.label": "String", - "multivalued": "true", - "usermodel.clientRoleMapping.clientId": "grafana", - "id.token.claim": "true", - "access.token.claim": "true", - "userinfo.token.claim": "true" - } - } - ] + } }, { "clientId": "argocd", @@ -159,21 +128,7 @@ keycloakConfigCli: "k8s.secret.name": "argocd-oidc-credentials", "k8s.secret.client-id-key": "client-id", "k8s.secret.client-secret-key": "client-secret" - }, - "protocolMappers": [ - { - "name": "groups", - "protocol": "openid-connect", - "protocolMapper": "oidc-group-membership-mapper", - "config": { - "claim.name": "groups", - "full.path": "false", - "id.token.claim": "true", - "access.token.claim": "true", - "userinfo.token.claim": "true" - } - } - ] + } } ], "groups": [ From 67b1d95509ac3fd034deb95791c55530bb280ad9 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Thu, 14 May 2026 19:39:38 +0200 Subject: [PATCH 14/64] account linking --- infra/values/base/gitea-values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/infra/values/base/gitea-values.yaml b/infra/values/base/gitea-values.yaml index e322a4b..2bc7fbb 100644 --- a/infra/values/base/gitea-values.yaml +++ b/infra/values/base/gitea-values.yaml @@ -41,6 +41,7 @@ gitea: oauth2: ENABLED: true ENABLE_AUTO_REGISTRATION: true + ACCOUNT_LINKING: auto USERNAME: email session: From bd478478f100f51d75aabd4e70a38386f245265f Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Thu, 14 May 2026 20:40:44 +0200 Subject: [PATCH 15/64] fix attemt --- infra/values/base/gitea-values.yaml | 1 - infra/values/base/keycloak-values.yaml | 59 +++++++++++++++++++++++--- 2 files changed, 52 insertions(+), 8 deletions(-) diff --git a/infra/values/base/gitea-values.yaml b/infra/values/base/gitea-values.yaml index 2bc7fbb..e322a4b 100644 --- a/infra/values/base/gitea-values.yaml +++ b/infra/values/base/gitea-values.yaml @@ -41,7 +41,6 @@ gitea: oauth2: ENABLED: true ENABLE_AUTO_REGISTRATION: true - ACCOUNT_LINKING: auto USERNAME: email session: diff --git a/infra/values/base/keycloak-values.yaml b/infra/values/base/keycloak-values.yaml index 5e5432e..7b47834 100644 --- a/infra/values/base/keycloak-values.yaml +++ b/infra/values/base/keycloak-values.yaml @@ -55,12 +55,12 @@ postgresql: size: 8Gi keycloakConfigCli: - extraEnvVars: - - name: IMPORT_MANAGED_PROTOCOL_MAPPER - value: "no-delete" enabled: true image: repository: bitnamilegacy/keycloak-config-cli + extraEnvVars: + - name: IMPORT_MANAGED_PROTOCOL_MAPPER + value: "no-delete" configuration: forte-realm.json: | { @@ -75,7 +75,7 @@ keycloakConfigCli: "clients": [ { "clientId": "gitea", - "name": "Forte Git", + "name": "Gitea", "enabled": true, "protocol": "openid-connect", "clientAuthenticatorType": "client-secret", @@ -90,7 +90,22 @@ keycloakConfigCli: "k8s.secret.name": "gitea-oidc-credentials", "k8s.secret.client-id-key": "key", "k8s.secret.client-secret-key": "secret" - } + }, + "protocolMappers": [ + { + "name": "email_verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-hardcoded-claim-mapper", + "config": { + "claim.name": "email_verified", + "claim.value": "true", + "jsonType.label": "boolean", + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + } + ] }, { "clientId": "grafana", @@ -109,7 +124,23 @@ keycloakConfigCli: "k8s.secret.name": "grafana-oidc-credentials", "k8s.secret.client-id-key": "client-id", "k8s.secret.client-secret-key": "client-secret" - } + }, + "protocolMappers": [ + { + "name": "client-roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "config": { + "claim.name": "resource_access.grafana.roles", + "jsonType.label": "String", + "multivalued": "true", + "usermodel.clientRoleMapping.clientId": "grafana", + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + } + ] }, { "clientId": "argocd", @@ -128,7 +159,21 @@ keycloakConfigCli: "k8s.secret.name": "argocd-oidc-credentials", "k8s.secret.client-id-key": "client-id", "k8s.secret.client-secret-key": "client-secret" - } + }, + "protocolMappers": [ + { + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-group-membership-mapper", + "config": { + "claim.name": "groups", + "full.path": "false", + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + } + ] } ], "groups": [ From 3644a3ec876483b448e590fa49fb7105e9fc33b2 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Thu, 14 May 2026 21:14:57 +0200 Subject: [PATCH 16/64] mappers --- infra/values/base/keycloak-values.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/infra/values/base/keycloak-values.yaml b/infra/values/base/keycloak-values.yaml index 7b47834..d238521 100644 --- a/infra/values/base/keycloak-values.yaml +++ b/infra/values/base/keycloak-values.yaml @@ -104,6 +104,18 @@ keycloakConfigCli: "access.token.claim": "true", "userinfo.token.claim": "true" } + }, + { + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-group-membership-mapper", + "config": { + "claim.name": "groups", + "full.path": "false", + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } } ] }, @@ -177,6 +189,14 @@ keycloakConfigCli: } ], "groups": [ + { + "name": "Forte Org k8s", + "path": "/k8s" + }, + { + "name": "Forte Org developers", + "path": "/dev" + }, { "name": "ArgoCD Admins", "path": "/ArgoCD Admins" From 80d7bff4bc0dd4fdfc50c785fc441d1b45d64d18 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Thu, 14 May 2026 21:18:17 +0200 Subject: [PATCH 17/64] groups --- infra/values/base/keycloak-values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infra/values/base/keycloak-values.yaml b/infra/values/base/keycloak-values.yaml index d238521..644fb35 100644 --- a/infra/values/base/keycloak-values.yaml +++ b/infra/values/base/keycloak-values.yaml @@ -190,11 +190,11 @@ keycloakConfigCli: ], "groups": [ { - "name": "Forte Org k8s", + "name": "k8s", "path": "/k8s" }, { - "name": "Forte Org developers", + "name": "dev", "path": "/dev" }, { From bc42347cb68eb0981d5a92b82122f44f07d6a3ef Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Thu, 14 May 2026 21:30:53 +0200 Subject: [PATCH 18/64] gitea+ACCOUNT_LINKING --- infra/values/base/gitea-values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/infra/values/base/gitea-values.yaml b/infra/values/base/gitea-values.yaml index e322a4b..2bc7fbb 100644 --- a/infra/values/base/gitea-values.yaml +++ b/infra/values/base/gitea-values.yaml @@ -41,6 +41,7 @@ gitea: oauth2: ENABLED: true ENABLE_AUTO_REGISTRATION: true + ACCOUNT_LINKING: auto USERNAME: email session: From f363afa08794b34411470dd05d1edced824cbae3 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Thu, 14 May 2026 23:43:40 +0200 Subject: [PATCH 19/64] browser flow override --- docs/REFERENCE.md | 24 +++++++++++++++++++++ infra/values/base/keycloak-values.yaml | 30 ++++++++++++++++++++++++++ 2 files changed, 54 insertions(+) diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md index bfa7f46..3eae2a8 100644 --- a/docs/REFERENCE.md +++ b/docs/REFERENCE.md @@ -1141,6 +1141,30 @@ ignore: - Check Gitea Actions tab for workflow run status and logs - Monitor Anthropic usage dashboard for token consumption +### Keycloak Browser Flow (IdP Auto-Redirect) + +**File**: `infra/values/base/keycloak-values.yaml` (inside `forte-realm.json`) + +The realm uses a custom browser authentication flow (`browser-auto-idp`) that skips the Keycloak login page and redirects directly to the Entra ID identity provider. + +**Flow executions**: + +| Priority | Authenticator | Requirement | Purpose | +|----------|--------------|-------------|---------| +| 10 | `auth-cookie` | ALTERNATIVE | Reuse existing session (no redirect) | +| 20 | `identity-provider-redirector` | ALTERNATIVE | Auto-redirect to `forte-entra` IdP | + +**Key fields in realm JSON**: +- `"browserFlow": "browser-auto-idp"` — overrides the default `browser` flow at realm level +- `"authenticationFlows"` — defines the custom flow with its executions +- `"authenticatorConfig"` — sets `defaultProvider: "forte-entra"` on the redirector + +**Why custom flow**: The default KC browser flow shows a username/password form with an IdP button. Since all authentication is via Entra ID, the custom flow eliminates this step. The `auth-cookie` execution preserves session reuse so returning users aren't redirected again. + +**Important**: The `forte-entra` identity provider must exist in Keycloak (currently configured manually in the KC admin console). If the IdP alias changes, update the `defaultProvider` value in the realm JSON. + +--- + ### Keycloak Client Registrar **Type**: CronJob (deployed via Keycloak Helm chart `extraDeploy`) diff --git a/infra/values/base/keycloak-values.yaml b/infra/values/base/keycloak-values.yaml index 644fb35..c00a1d3 100644 --- a/infra/values/base/keycloak-values.yaml +++ b/infra/values/base/keycloak-values.yaml @@ -188,6 +188,36 @@ keycloakConfigCli: ] } ], + "browserFlow": "browser-auto-idp", + "authenticationFlows": [ + { + "alias": "browser-auto-idp", + "description": "Browser flow with auto-redirect to Forte Entra IdP", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": false, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10 + }, + { + "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 20, + "authenticatorConfig": { + "alias": "forte-entra-redirector", + "config": { + "defaultProvider": "forte-entra" + } + } + } + ] + } + ], "groups": [ { "name": "k8s", From 332881cbd023d9260cc337edc6b13e72b0ba1416 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Thu, 14 May 2026 23:47:14 +0200 Subject: [PATCH 20/64] fix --- infra/values/base/keycloak-values.yaml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/infra/values/base/keycloak-values.yaml b/infra/values/base/keycloak-values.yaml index c00a1d3..68b78ec 100644 --- a/infra/values/base/keycloak-values.yaml +++ b/infra/values/base/keycloak-values.yaml @@ -208,16 +208,19 @@ keycloakConfigCli: "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 20, - "authenticatorConfig": { - "alias": "forte-entra-redirector", - "config": { - "defaultProvider": "forte-entra" - } - } + "authenticatorConfig": "forte-entra-redirector" } ] } ], + "authenticatorConfig": [ + { + "alias": "forte-entra-redirector", + "config": { + "defaultProvider": "forte-entra" + } + } + ], "groups": [ { "name": "k8s", From 66f40427eed82eb6a91311f4bdce22a919fb7e78 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Fri, 15 May 2026 15:47:25 +0200 Subject: [PATCH 21/64] mappings --- infra/values/base/keycloak-values.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/infra/values/base/keycloak-values.yaml b/infra/values/base/keycloak-values.yaml index 68b78ec..c6745db 100644 --- a/infra/values/base/keycloak-values.yaml +++ b/infra/values/base/keycloak-values.yaml @@ -224,11 +224,17 @@ keycloakConfigCli: "groups": [ { "name": "k8s", - "path": "/k8s" + "path": "/k8s", + "clientRoles": { + "grafana": ["Editor"] + } }, { "name": "dev", - "path": "/dev" + "path": "/dev", + "clientRoles": { + "grafana": ["Viewer"] + } }, { "name": "ArgoCD Admins", From f048b47a0f5837952951494ba46e8d4892a283cd Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 15:39:55 +0200 Subject: [PATCH 22/64] vaultwarden --- infra/overlays/upc-dev/kustomization.yaml | 1 + .../upc-dev/vaultwarden/kustomization.yaml | 5 +++ .../vaultwarden-db-secret-sealed.yaml | 18 ++++++++ .../upc-dev/vaultwarden/vaultwarden.yaml | 43 ++++++++++++++++++ infra/values/base/vaultwarden-values.yaml | 3 ++ infra/values/upc-dev/vaultwarden-values.yaml | 45 +++++++++++++++++++ 6 files changed, 115 insertions(+) create mode 100644 infra/overlays/upc-dev/vaultwarden/kustomization.yaml create mode 100644 infra/overlays/upc-dev/vaultwarden/vaultwarden-db-secret-sealed.yaml create mode 100644 infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml create mode 100644 infra/values/base/vaultwarden-values.yaml create mode 100644 infra/values/upc-dev/vaultwarden-values.yaml diff --git a/infra/overlays/upc-dev/kustomization.yaml b/infra/overlays/upc-dev/kustomization.yaml index be1f13c..ccd8ad8 100644 --- a/infra/overlays/upc-dev/kustomization.yaml +++ b/infra/overlays/upc-dev/kustomization.yaml @@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base +- vaultwarden # No patches needed — base already has "upc-dev" paths # upc-dev is the default/base cluster diff --git a/infra/overlays/upc-dev/vaultwarden/kustomization.yaml b/infra/overlays/upc-dev/vaultwarden/kustomization.yaml new file mode 100644 index 0000000..01a969c --- /dev/null +++ b/infra/overlays/upc-dev/vaultwarden/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- vaultwarden.yaml +- vaultwarden-db-secret-sealed.yaml diff --git a/infra/overlays/upc-dev/vaultwarden/vaultwarden-db-secret-sealed.yaml b/infra/overlays/upc-dev/vaultwarden/vaultwarden-db-secret-sealed.yaml new file mode 100644 index 0000000..fb0a249 --- /dev/null +++ b/infra/overlays/upc-dev/vaultwarden/vaultwarden-db-secret-sealed.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: prod-db-creds + namespace: vaultwarden +spec: + encryptedData: + SMTP_PASSWORD: AgARC3vcVD2SC8GUry5SYylyiS39eKQUFAjqT4dpXQsoJX7QSLfd7Ta68BURg8Q5e2zWdzIl+nrUyBy/4TMXeHjSUhcfsH0RY2logMuTn96kV/V7YKm1Zw394hrJ3uroB7iFkf/TwiXuwFS1QvppxlpXNWVClHs+r0aW3vD2s7ViFxFqcPYGfNKlGvW2aLU6XER/TUXCffoSmHgl0wut5UaZEo+321AAaqcmk90Te/Pv4oU0SfFGn/+14zDR3VT4s6u8rgYQcSB23p2f3X3+8tCLgSLclyzSXAVfclMBYCuCtOzFjgXOQLoYfW3WW48KqsFKsoZsI/dop8L/y2P78xGJ5gYNiVcH6vEMfOr6wOTISyXqQIi3a/KZcNSY4ZZ7kH13aqru3Fpb4XAGjcmEEfWfOQ9IcPBj6Yh9pNOhxlQHPqXR9zrwx//iXdH2bsbEJ2vNHQhU9uc4t3dO1VnLO/icvMr3CFEuaB4mFDThVrPGOEi5s1YKPTHb1j8B92WSy6aNmNro0977cbbJs/linNox3rNa20kzQPfU2pdlC31vIcpMCM7vtUnx16QHyjUNe/whFqIbSG3mE19jbjIvGo0d7jhBWZYQin+m1MRv/Tv8VjzYe6FciIFX33pNTWkwkvFq+s8eQcyruWCe5hLlF361FklqXcSh1tMyqcfOScNRPxUPlWumkGPDmonULJPkmAs7eJmxKlvinrAPs8eiP7c/1SPW6FdMmxT7sq/27TII + SMTP_USERNAME: AgC1Zsv5l5Wbrq7VZC2U55+0/LQvZEbsmlxq2O5Z+Xp/admdqptEBGlLKEdIn7CmyBzvmrmWasmN4NJPJHoeLWn7SgsoULTu1UQ3W9kgcrXUJ52dwOrYLMJUxJuh+OD9HEJejfOMksc2rSM69I4NUc+NXaDSZOo+gzldWzBN7nCa778NcnMgJxVcT4gqjTIRB9EOrCo4f3ldFJzVJW7qNnxurN0UZQ51y+nj+4z2R+LvfOJ1BT5YQC+nmx80HVBMdQWK5WO4QdxCtenXfiFDNcGK3MK/Exd+kubOWse85CMt2dR0GWuIfIOp+t4XQXfb1pxhTibh/fGae9dD0RpSX1c8hobkpXaDJIYeb7ZQF5J6Zf68fgCn0YircY1hB4yF7uX5CQL1yv76M4tM9yuOn5FTJaIG6byWn/RsHZ7KPIUSd1mOce9ZqfTkKzvC/wfX45UMhPEsdXF9o67mAtOpdmBGrmeDD+7GwPwKXz3JgDovlGtzvLvMZ27+x1dpC8LrcAjcKXXGKczbs3L2Pc+tymd9dis36RvlFLEgQG32ffQu5vQXqGcoSEnlZ0l39qoU9EItkA5kp0isGiJI46hJtAdTTNr0roymvrfDyLXpAvXTQYaVMC7/8KVb2r3kIPKtnsDuU2A57ceiqtdWQgUarPn4F0O3SaCnprmTm2thgCgQOkW7BGlN3CCsVboZUIOlFr7CwTswB9ZI6tzOj2WsUOhriTfIuXv3kyrFCspo + pgpassword: AgB7F1Nvm2sjBOneDFux2mc/qni32jaq+KccTWkS7UZWWgA37owrE/XvDSOXZ0ZkrpBfhvCnsrh7/mbVnZYNWCd/GgxI2txnkp9MxW5JLpJiaZZmzznI229BgG9I08vg6ciuUS+bvRw9XJFD7SAmgeA3NaDKAHRNIhu3CFEKQJANity+pKHY1zK6gX6ubmllFtjEJg2pijM3EeSNuXdAFXZlsYIJMqFzlvQrb4MV7qeqsvW2qMeJBElMnas60l3JgeUYtsIwh6720m6FFKGXYQLm4cKbByC0M1C0/Nfwnd9j+xgIgyXharQFmgyp1qQBM+MAHxnHoHCE3V9cJqy1nCy33M16YYsZGOuAkHB9ks9I7NxGAKKjAIm5DccW7zbYINzTQKAUYIF/VhVosHv0thAHjfuH7fGzSmo9BHrLTQE3tO5RF40X2GgKFxP/R5lA+dCtR2QBNot0DaL2TEJoPc0czSYPY5y92FDOQ1j9jvcet18tkJN+bzCKwiG+BxtD0eH+tv1EAZTwvyl43xlU3E3RwWgSmOWcusMrn92fhsHwNFs9mMeeM8qeAVq4xUkatbKoijHm6q03tMgp2T6iT3EoVNLzWz+754mLQxt6serkBS8U7Mkxwpfitf64ANLaQyMF8t9Rao0c8Q/ZkIl9TEczbCPX3DvlnsoSPKDMWGB9gTzKbvvH0+Gcxxs+LZFigE7SQ20kYMlQpD8uo15ufWpMSGmFJxvto55fYgA0+wJmqe18ERy1QjxCqQYG7A== + pgusername: AgAvYmIjfz5UbstZli9gpc77rc+oAft7NYIHFrSClyV0Ugt6UU+icMMlLbU92roy7J9XUHuWoXoK5vh0y/XeF95ce1VJC0/zvMK2OXmpfERbyNvyCpwzCFtzYJ4LO7yOi8PAPstzuziqnvLt+GLCwk1enU+IWHI7G2A/qIeWEww5+Y5a4WevVrchp0Wh87PdJ88IT5EiF7qBT2ipbcSoB+Gon962nbw8+pnFedmRcUQcdOf0tQBBZOl5TUVJ6mn4WIY8u6/yOwACMlUXQ553rxXYwGKyTRjI0KbTWwpgeCJiqokyrw/RcShD6qJvZGePdq6rNmmkELOHCPo9z/WvXQIDHbuPldvcglyHuN2w4tsBcGukbmjitwS6wxYD0vp3er3FI9+0tRnD9zlkLiUpcaLi9Rrm7NPS/JP1dbGcHz7fJNXgbMZRGRx3DjV73Qnz6YHvOHT4g6BI2+9JytriRKSOJk/FlDCINgrO+6zMrbxKzBTW3+FK1cc41sJ9zClbV603wsMgtkmB1sZL4xcLmq5wOuk19uO9TsK0Xnf+ajuFUkQm42DVxtTZ9HObLnP8eygn1WiMDv3ks6W7HIpJTpc2YJVU/Pg/kTeQgBKS0JRTkzpJFPHV2UrkLTr0U6ToPYOb2SWBnPI+Lp3cTOeUsbKOylBzx4uUJGoZUL5pAorjd5tDHJhMyMm589m5J3mGMXuhXO1cWg80 + template: + metadata: + creationTimestamp: null + name: prod-db-creds + namespace: vaultwarden diff --git a/infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml b/infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml new file mode 100644 index 0000000..1d41fd8 --- /dev/null +++ b/infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml @@ -0,0 +1,43 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: vaultwarden + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "1" + labels: + app.kubernetes.io/name: vaultwarden + app.kubernetes.io/part-of: security + app.kubernetes.io/managed-by: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + + sources: + - repoURL: https://guerzon.github.io/vaultwarden + chart: vaultwarden + targetRevision: "0.36.4" + helm: + releaseName: vaultwarden + valueFiles: + - $values/infra/values/base/vaultwarden-values.yaml + - $values/infra/values/upc-dev/vaultwarden-values.yaml + + - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git + targetRevision: HEAD + ref: values + + destination: + server: https://kubernetes.default.svc + namespace: vaultwarden + + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: false + syncOptions: + - CreateNamespace=true + - Validate=true + - ServerSideApply=true diff --git a/infra/values/base/vaultwarden-values.yaml b/infra/values/base/vaultwarden-values.yaml new file mode 100644 index 0000000..d7bbc71 --- /dev/null +++ b/infra/values/base/vaultwarden-values.yaml @@ -0,0 +1,3 @@ +image: + tag: "1.36.0-alpine" +domain: "https://vaultwarden.forteapps.net" diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml new file mode 100644 index 0000000..78da760 --- /dev/null +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -0,0 +1,45 @@ +database: + type: postgresql + existingSecret: prod-db-creds + existingSecretUserKey: pgusername + existingSecretPasswordKey: pgpassword +ingress: + enabled: true + class: "traefik" + tlsSecret: vw-forteapps-net-crt + hostname: bitwarden.forteapps.net + +replicas: 5 + +service: + sessionAffinity: ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 + +smtp: + host: smtp.office365.com + from: no-reply@forteapps.net + fromName: "Forte Bitwarden Administrator" + existingSecret: prod-db-creds + username: + existingSecretKey: SMTP_USERNAME + password: + existingSecretKey: SMTP_PASSWORD + +storage: + data: + name: "vaultwarden-data" + size: "5Gi" + class: "" + path: "/data" + keepPvc: true + accessMode: "ReadWriteOnce" + + attachments: + name: "vaultwarden-files" + size: "5Gi" + class: "" + path: /files + keepPvc: true + accessMode: "ReadWriteOnce" From 716c552be9b1a3a562cefcc004a475a1de804b7c Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 15:44:04 +0200 Subject: [PATCH 23/64] ns --- infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml b/infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml index 1d41fd8..ceb52c8 100644 --- a/infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml +++ b/infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml @@ -1,3 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: vaultwarden +--- + apiVersion: argoproj.io/v1alpha1 kind: Application metadata: From 66de9b8a0af54c5f3572bb8501da87a5b92977b7 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 15:48:13 +0200 Subject: [PATCH 24/64] replicas --- infra/values/upc-dev/vaultwarden-values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index 78da760..eb275c3 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -9,7 +9,7 @@ ingress: tlsSecret: vw-forteapps-net-crt hostname: bitwarden.forteapps.net -replicas: 5 +replicas: 1 service: sessionAffinity: ClientIP From b90b630b06abfcaa1a953870796834a5ef63fd80 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 15:52:10 +0200 Subject: [PATCH 25/64] comment --- infra/values/upc-dev/vaultwarden-values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index eb275c3..dce2585 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -10,6 +10,7 @@ ingress: hostname: bitwarden.forteapps.net replicas: 1 +# Multi-Attach error for volume "pvc-102ec9a4-dccd-4cba-bb4b-650f7d934c81" Volume is already used by pod(s) vaultwarden-7f568875c7-m9cgs service: sessionAffinity: ClientIP From 21fb50ba00b4e3dcfa5580c0d7ba0e503fece89c Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 15:55:18 +0200 Subject: [PATCH 26/64] vw fixes --- docs/REFERENCE.md | 40 ++++++++++++++++++++ infra/values/upc-dev/vaultwarden-values.yaml | 5 ++- 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md index 3eae2a8..b0821b7 100644 --- a/docs/REFERENCE.md +++ b/docs/REFERENCE.md @@ -1063,6 +1063,46 @@ dind: - Gitea admin panel (`/admin/runners`) — runners show as Online - Create test workflow in `.gitea/workflows/test.yml` — job executes +### Vaultwarden + +**Chart**: `guerzon/vaultwarden` +**Version**: 0.36.4 (app v1.36.0-alpine) +**Namespace**: `vaultwarden` + +**Purpose**: Self-hosted Bitwarden-compatible password manager. + +**Configuration**: +```yaml +# infra/overlays/upc-dev/vaultwarden/ + infra/values/ +domain: "https://vaultwarden.forteapps.net" + +ingress: + enabled: true + class: "traefik" + tls: true + tlsSecret: vaultwarden-tls + hostname: bitwarden.forteapps.net + additionalAnnotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + +database: + type: postgresql + existingSecret: prod-db-creds + +storage: + data: 5Gi (ReadWriteOnce) + attachments: 5Gi (ReadWriteOnce) +``` + +**TLS**: cert-manager auto-provisions Let's Encrypt certificate via `letsencrypt-prod` ClusterIssuer (same pattern as Gitea, Grafana, etc). + +**Endpoints**: +- Web UI: `https://bitwarden.forteapps.net` + +**Secrets**: +- `prod-db-creds` — PostgreSQL credentials + SMTP credentials +- `vaultwarden-tls` — auto-managed by cert-manager + ### AI Code Review (ai-review) **Type**: Gitea Actions workflow (`.gitea/workflows/ai-review.yaml`) diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index dce2585..78a7c14 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -6,8 +6,11 @@ database: ingress: enabled: true class: "traefik" - tlsSecret: vw-forteapps-net-crt + tls: true + tlsSecret: vaultwarden-tls hostname: bitwarden.forteapps.net + additionalAnnotations: + cert-manager.io/cluster-issuer: letsencrypt-prod replicas: 1 # Multi-Attach error for volume "pvc-102ec9a4-dccd-4cba-bb4b-650f7d934c81" Volume is already used by pod(s) vaultwarden-7f568875c7-m9cgs From f2c56156bf8d185260d9ea088beea2cf2df8b498 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 18:10:14 +0200 Subject: [PATCH 27/64] vw postgres --- docs/REFERENCE.md | 5 +- .../upc-dev/vaultwarden/kustomization.yaml | 1 + .../upc-dev/vaultwarden/postgresql.yaml | 102 ++++++++++++++++++ infra/values/upc-dev/vaultwarden-values.yaml | 3 + 4 files changed, 110 insertions(+), 1 deletion(-) create mode 100644 infra/overlays/upc-dev/vaultwarden/postgresql.yaml diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md index b0821b7..c6bd7a0 100644 --- a/docs/REFERENCE.md +++ b/docs/REFERENCE.md @@ -1087,6 +1087,7 @@ ingress: database: type: postgresql + host: vaultwarden-postgresql # StatefulSet in overlay existingSecret: prod-db-creds storage: @@ -1099,8 +1100,10 @@ storage: **Endpoints**: - Web UI: `https://bitwarden.forteapps.net` +**Database**: Standalone PostgreSQL 16 StatefulSet (`vaultwarden-postgresql`) deployed in overlay with 2Gi PVC. Chart does NOT include a PostgreSQL subchart — must be provisioned separately. + **Secrets**: -- `prod-db-creds` — PostgreSQL credentials + SMTP credentials +- `prod-db-creds` (SealedSecret) — PostgreSQL credentials (`pgusername`, `pgpassword`) + SMTP credentials - `vaultwarden-tls` — auto-managed by cert-manager ### AI Code Review (ai-review) diff --git a/infra/overlays/upc-dev/vaultwarden/kustomization.yaml b/infra/overlays/upc-dev/vaultwarden/kustomization.yaml index 01a969c..8d6e150 100644 --- a/infra/overlays/upc-dev/vaultwarden/kustomization.yaml +++ b/infra/overlays/upc-dev/vaultwarden/kustomization.yaml @@ -3,3 +3,4 @@ kind: Kustomization resources: - vaultwarden.yaml - vaultwarden-db-secret-sealed.yaml +- postgresql.yaml diff --git a/infra/overlays/upc-dev/vaultwarden/postgresql.yaml b/infra/overlays/upc-dev/vaultwarden/postgresql.yaml new file mode 100644 index 0000000..8ed617e --- /dev/null +++ b/infra/overlays/upc-dev/vaultwarden/postgresql.yaml @@ -0,0 +1,102 @@ +apiVersion: v1 +kind: Service +metadata: + name: vaultwarden-postgresql + namespace: vaultwarden + labels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: vaultwarden + app.kubernetes.io/component: database +spec: + type: ClusterIP + ports: + - name: tcp-postgresql + port: 5432 + targetPort: tcp-postgresql + selector: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: vaultwarden +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: vaultwarden-postgresql + namespace: vaultwarden + labels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: vaultwarden + app.kubernetes.io/component: database +spec: + serviceName: vaultwarden-postgresql + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: vaultwarden + template: + metadata: + labels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: vaultwarden + app.kubernetes.io/component: database + spec: + containers: + - name: postgresql + image: postgres:16-alpine + ports: + - name: tcp-postgresql + containerPort: 5432 + env: + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: prod-db-creds + key: pgusername + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: prod-db-creds + key: pgpassword + - name: POSTGRES_DB + value: vaultwarden + - name: PGDATA + value: /var/lib/postgresql/data/pgdata + volumeMounts: + - name: data + mountPath: /var/lib/postgresql/data + livenessProbe: + exec: + command: + - pg_isready + - -U + - $(POSTGRES_USER) + - -d + - vaultwarden + initialDelaySeconds: 30 + periodSeconds: 10 + readinessProbe: + exec: + command: + - pg_isready + - -U + - $(POSTGRES_USER) + - -d + - vaultwarden + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 500m + memory: 512Mi + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index 78a7c14..ac956c7 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -1,5 +1,8 @@ database: type: postgresql + host: vaultwarden-postgresql + port: "5432" + dbName: vaultwarden existingSecret: prod-db-creds existingSecretUserKey: pgusername existingSecretPasswordKey: pgpassword From 74f4f86770f584b47672fceeaaf8902e155c8ac5 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 19:34:42 +0200 Subject: [PATCH 28/64] vw apps --- docs/REFERENCE.md | 2 +- infra/overlays/upc-dev/kustomization.yaml | 1 + .../vaultwarden-postgresql/kustomization.yaml | 4 ++ .../resources/kustomization.yaml | 5 +++ .../resources}/postgresql.yaml | 0 .../vaultwarden-db-secret-sealed.yaml | 0 .../vaultwarden-postgresql.yaml | 40 +++++++++++++++++++ .../upc-dev/vaultwarden/kustomization.yaml | 2 - .../upc-dev/vaultwarden/vaultwarden.yaml | 6 --- 9 files changed, 51 insertions(+), 9 deletions(-) create mode 100644 infra/overlays/upc-dev/vaultwarden-postgresql/kustomization.yaml create mode 100644 infra/overlays/upc-dev/vaultwarden-postgresql/resources/kustomization.yaml rename infra/overlays/upc-dev/{vaultwarden => vaultwarden-postgresql/resources}/postgresql.yaml (100%) rename infra/overlays/upc-dev/{vaultwarden => vaultwarden-postgresql/resources}/vaultwarden-db-secret-sealed.yaml (100%) create mode 100644 infra/overlays/upc-dev/vaultwarden-postgresql/vaultwarden-postgresql.yaml diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md index c6bd7a0..74d5568 100644 --- a/docs/REFERENCE.md +++ b/docs/REFERENCE.md @@ -1100,7 +1100,7 @@ storage: **Endpoints**: - Web UI: `https://bitwarden.forteapps.net` -**Database**: Standalone PostgreSQL 16 StatefulSet (`vaultwarden-postgresql`) deployed in overlay with 2Gi PVC. Chart does NOT include a PostgreSQL subchart — must be provisioned separately. +**Database**: Separate ArgoCD Application `vaultwarden-postgresql` (sync-wave `"0"`) deploys PostgreSQL 16 StatefulSet + SealedSecret before Vaultwarden (wave `"1"`). 2Gi PVC. Chart does NOT include a PostgreSQL subchart — must be provisioned separately. **Secrets**: - `prod-db-creds` (SealedSecret) — PostgreSQL credentials (`pgusername`, `pgpassword`) + SMTP credentials diff --git a/infra/overlays/upc-dev/kustomization.yaml b/infra/overlays/upc-dev/kustomization.yaml index ccd8ad8..fac7510 100644 --- a/infra/overlays/upc-dev/kustomization.yaml +++ b/infra/overlays/upc-dev/kustomization.yaml @@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base +- vaultwarden-postgresql - vaultwarden # No patches needed — base already has "upc-dev" paths diff --git a/infra/overlays/upc-dev/vaultwarden-postgresql/kustomization.yaml b/infra/overlays/upc-dev/vaultwarden-postgresql/kustomization.yaml new file mode 100644 index 0000000..e3e2778 --- /dev/null +++ b/infra/overlays/upc-dev/vaultwarden-postgresql/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- vaultwarden-postgresql.yaml diff --git a/infra/overlays/upc-dev/vaultwarden-postgresql/resources/kustomization.yaml b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/kustomization.yaml new file mode 100644 index 0000000..b02c8e8 --- /dev/null +++ b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- postgresql.yaml +- vaultwarden-db-secret-sealed.yaml diff --git a/infra/overlays/upc-dev/vaultwarden/postgresql.yaml b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/postgresql.yaml similarity index 100% rename from infra/overlays/upc-dev/vaultwarden/postgresql.yaml rename to infra/overlays/upc-dev/vaultwarden-postgresql/resources/postgresql.yaml diff --git a/infra/overlays/upc-dev/vaultwarden/vaultwarden-db-secret-sealed.yaml b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml similarity index 100% rename from infra/overlays/upc-dev/vaultwarden/vaultwarden-db-secret-sealed.yaml rename to infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml diff --git a/infra/overlays/upc-dev/vaultwarden-postgresql/vaultwarden-postgresql.yaml b/infra/overlays/upc-dev/vaultwarden-postgresql/vaultwarden-postgresql.yaml new file mode 100644 index 0000000..4e878f6 --- /dev/null +++ b/infra/overlays/upc-dev/vaultwarden-postgresql/vaultwarden-postgresql.yaml @@ -0,0 +1,40 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: vaultwarden +--- + +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: vaultwarden-postgresql + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "0" + labels: + app.kubernetes.io/name: vaultwarden-postgresql + app.kubernetes.io/part-of: security + app.kubernetes.io/managed-by: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + + source: + repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git + targetRevision: HEAD + path: infra/overlays/upc-dev/vaultwarden-postgresql/resources + + destination: + server: https://kubernetes.default.svc + namespace: vaultwarden + + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: false + syncOptions: + - CreateNamespace=true + - Validate=true + - ServerSideApply=true diff --git a/infra/overlays/upc-dev/vaultwarden/kustomization.yaml b/infra/overlays/upc-dev/vaultwarden/kustomization.yaml index 8d6e150..65b394b 100644 --- a/infra/overlays/upc-dev/vaultwarden/kustomization.yaml +++ b/infra/overlays/upc-dev/vaultwarden/kustomization.yaml @@ -2,5 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - vaultwarden.yaml -- vaultwarden-db-secret-sealed.yaml -- postgresql.yaml diff --git a/infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml b/infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml index ceb52c8..1d41fd8 100644 --- a/infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml +++ b/infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml @@ -1,9 +1,3 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: vaultwarden ---- - apiVersion: argoproj.io/v1alpha1 kind: Application metadata: From f3286ef77e72ea013028d966fc67e5efd17eda39 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 19:44:17 +0200 Subject: [PATCH 29/64] homepage vw --- infra/values/upc-dev/vaultwarden-values.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index ac956c7..b79c549 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -14,6 +14,12 @@ ingress: hostname: bitwarden.forteapps.net additionalAnnotations: cert-manager.io/cluster-issuer: letsencrypt-prod + gethomepage.dev/enabled: "true" + gethomepage.dev/name: "BitWarden" + gethomepage.dev/description: "Password management" + gethomepage.dev/group: "Security" + gethomepage.dev/icon: "BitWarden" + gethomepage.dev/href: "https://bitwarden.forteapps.net" replicas: 1 # Multi-Attach error for volume "pvc-102ec9a4-dccd-4cba-bb4b-650f7d934c81" Volume is already used by pod(s) vaultwarden-7f568875c7-m9cgs From 302705d37410c13c684cb4330c26af09d17329bd Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 19:45:19 +0200 Subject: [PATCH 30/64] icon --- infra/values/upc-dev/vaultwarden-values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index b79c549..ce5b51b 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -18,7 +18,7 @@ ingress: gethomepage.dev/name: "BitWarden" gethomepage.dev/description: "Password management" gethomepage.dev/group: "Security" - gethomepage.dev/icon: "BitWarden" + gethomepage.dev/icon: "bitwarden" gethomepage.dev/href: "https://bitwarden.forteapps.net" replicas: 1 From 73ef3a6e121c3369b5f937a445d4748c8d1e0eea Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 19:49:38 +0200 Subject: [PATCH 31/64] pg fix --- .../resources/postgresql.yaml | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/infra/overlays/upc-dev/vaultwarden-postgresql/resources/postgresql.yaml b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/postgresql.yaml index 8ed617e..f638543 100644 --- a/infra/overlays/upc-dev/vaultwarden-postgresql/resources/postgresql.yaml +++ b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/postgresql.yaml @@ -67,21 +67,17 @@ spec: livenessProbe: exec: command: - - pg_isready - - -U - - $(POSTGRES_USER) - - -d - - vaultwarden + - sh + - -c + - pg_isready -U "$POSTGRES_USER" -d vaultwarden initialDelaySeconds: 30 periodSeconds: 10 readinessProbe: exec: command: - - pg_isready - - -U - - $(POSTGRES_USER) - - -d - - vaultwarden + - sh + - -c + - pg_isready -U "$POSTGRES_USER" -d vaultwarden initialDelaySeconds: 5 periodSeconds: 5 resources: From a8baa169e92ab91d57c36f397ec988b655c8a3c9 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 20:00:22 +0200 Subject: [PATCH 32/64] secrets vw --- .../vaultwarden-db-secret-sealed.yaml | 19 +++++++++++++++++++ infra/values/upc-dev/vaultwarden-values.yaml | 1 + 2 files changed, 20 insertions(+) create mode 100644 infra/overlays/upc-dev/vaultwarden/vaultwarden-db-secret-sealed.yaml diff --git a/infra/overlays/upc-dev/vaultwarden/vaultwarden-db-secret-sealed.yaml b/infra/overlays/upc-dev/vaultwarden/vaultwarden-db-secret-sealed.yaml new file mode 100644 index 0000000..d197377 --- /dev/null +++ b/infra/overlays/upc-dev/vaultwarden/vaultwarden-db-secret-sealed.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: prod-db-creds + namespace: vaultwarden +spec: + encryptedData: + DATABASE_URL: AgCsu5gQQOJm3/dr4Wvy1KJMUmP5PRAh29fV+s/8SHhFZg4TajdgXskcY3NorJbF0DB5yOY8EPOwz9FZ3glkoBgfjkHWzZveUdoLab5uv7B7FxwWNgYK6qbOlU/Ol3AYCCqF95etVPANtlOLdhF4Amo0rMstBu/0i2cuqT2PyPp2K8L7gJH2UE1BSYlXYn9u/jSe9GGeBCcile1rmEQ6h8I3Wu2XyW/+asa98AsaERKRiAcuheRZ/wyzs0V70fAKghENvAVeOQLmch0wfZaQBrhBxsE+WHNUKT0wovo20rWtC1Ro/vGnXhvu5QWck2ATH2Y9dbELRQlTijMwpUOkYPp+u7k8X3CLyem3ubXGnU6RJBx0/duDmhzrMjGS6g7c+tiMjkwnsjr2OogykByrJ1459xwBmZQgu6wmraJyjD8SVTboJWLlBrbqP5eWUCp/ZO8uh24L3yRdqrnnSGsP9O90svtjZ3z61CUvcqw0tBjvIrWsjtopzXVI2O0RPcXWEJ6300ICtm0N3jCL84pOjLHIz5vhVMdRNmg/W3qd1mTqsf/796Ve8smMB0we4ig5Gqj4gfeMmdhWToUTnilHFbjYEgim+Ax3e1hXZ2WghpJ2Wt4WYWmeDBtkScLvAc+FdZY/QlwvgpuksnqnzzymipPBAVAnR+MEHKiTssTe4QctO4cmYG0bk83RUDGzOMf6ARWMdmagLwqssoJjlPY5ch5yjeJ8gxK7E4OAUNeaKY8xWHHUFL7mVAsbTb0Jl1gPkV8aM5b3OQhUNRbylV/pEfACEBxcxG46o+a+8RJhseGdX84rg1MU7mTaaYPhmZY0It1NyopUs3784aY= + SMTP_PASSWORD: AgCnc5MeGt1FaUfZoWOk4SiNxYnP8ewIzWiYQQdNea3GX77Xu+n5MJd60bszPWA5VMWdMqfKEca5NzOjwdEBhkJYlP6kofrHgQSw2CTxXLRRo9f7M4tEcd6LqXBNQdHGGs3bc9BjYbD/8fEyhbWj7kfdcIpdHtUwzLvxBM+4G4r21nUFcBd+HZk3iYbfv9O4NdwhhyGHFt2LRMW479VDkk61iD0PEXih70UfQPqildOW0XeoBXwXwuDxO8RTSGyQWcHeSsly/Nvya6Sl2N1nZjWCQdyTRZSmkO6LYk5qsm2NQwCAYlHk8SRKQ9KKhecAkMyghvZ0uL5kmvSLjA1AUrSLn+rpPFWD32W0B2DEABDcMVWAuHtJiO08M5CYGdEc8wAijvSNBDyjXQCg4fj25Ob+ppVsBnF5qnIblE24l1Owu/b4OvGzWtKCga9wQZqakFHLfYCHN8hw4zsw2ih/gGKdxfAGYZnGsW/XlQfLvj8U+ESn+VNEE9QCVaU2RB/gO3j+MdltpoFb/hXflD7ogPGDNcSkoZRNuH0wwBql/k2h3SK0pim6jlIwOVdkYbbSegWO+mRLIfNWi6Ugf8afLzt/ZxGjZiID/5X0LbKWz90gGyyifi3ltn40H8QK0g0GYkToQ+UYgKHAeBZsAcXB0/SPWtu7vlrM4XTjs/MWafUxbc4vX9LAnZpMgB5SidhoZ87R0nAQ1SaNvlaoeW0AP4MuuO1w138NSTUQC5iRIo5E + SMTP_USERNAME: AgC8e1LvOFlT8xvh2KkjqbaIzkZaBDGWvI74mxQcH3ETuT1QSohN5EV2Eo205xi+L/7F+zdqxWhBfL4X5+BoPh8gKhoJc3AQiNXWLVmiRD5BZj7qHxXlk1IByHEl2HCwhD7C0XYR2I8e/x/suMorv3MqrURu/Ed5I8tNKtC/Cf+QaoJ9Ek6ZweUNXjUy1ziek7ht6W45d6xKWmGksNaEktbVS1Z3Jf87z6TlzMg/gvPKDhMenK0Xwvh7AGkqLHd4napppPRrQWLk9DELCbDzyyZZlTUX6xMt/DeO4k38aYY/YtCzT+Oky47x9yuViGMfZYbjGKE51zAo1FmOWrg268QZaVxuLUy5Dffq0BFy4NnEYUZILE7DEk9g5jfemAMDYOqS2ZEUCTGPH4M2s/cHvJCape88drQVTYY7V87ICbJfvs3Q//vt8rjliWvFv++D8W93u/JuCdihMJwAcGaApd/Cc5psmABSYc36FdKOj6wZYPvMHdZip91Hel8Apw7Hr9JVkL8XJG3o870QqCSP8m7fJzB0HgSBpm+B2jXxckFRnQx0Pr6x/W8P96eko2IEPlvGw2lZ/clQr+G28f+Ck/TwLn67m/vpCePZkgtU7a9QSNJb+sL4Swaq2vj0fn2RrRpEHNoYtnklHu2ALgi+YcmSgcwGPKXWjB304OWiLOcBEjY8bcWauEZK511BvVqYfs1DaJ4uPbn6YHguDiyow7Cf/+12B8ZGFuDrQVm2 + pgpassword: AgArqTrW04RdUa7x6u/yzMCcpJC3Hx4J9o0gM7D5ftrpjZ/yv7A/2fZvIdJSk3LLDlUoOaT/yXNKNnV9R0GAMXT5daVAl23+5qkIbZC5LsPVI0RlCKQ1oXBXb64jmGTNXrOz+kV7MT9N+eDAYd5D2oxAlZUE7gJ3UiYVdFxUTYmtbtdPJcrAdpoZ3aq8L4Inpz4jb8nfm4zvlvbk+pWY2uiQPDpORqcW9BhroIruYGNOTRSZmXQjSCA1BOutZ0iACzN2jPnzvjuQUUksgo50fd3wsvneVjT+ZwvXHiBwoUuAWT0hhJQYRkM5JMOmSNRkSksxXMoLfwDzunRFlfi5Nd19V2aleio88RfdrQ/j6AIAevY+S3NW72/UEcQZseUbpMgbomlDJn3hBAqqOzf85B/y2y9y7euFrRGYC3y5aUGvdQOCqGjM3PXZctN1D7ncPpxq6VK1zoo/PYbpyv+oga7y3wNz0nNRzmTdfynP48ftXIXAyEx6N0fE1BhqhOhJIxVdPM1lh8LqHtbD2IraIZ1CMVZi1dYYzxeaPItzM5Wc5xkIgdX3NK4LO1H2O6u9klSJwgJycAZtxKEQz8YeYIT9ETTN1FzKNAZgUoD/ZvaeXvkwI4NuLKebVwtRuk/5w1JxWqb8EvQx96C/QJfzbwfEGbtt44eCWqhlffp/yiLHhvGst6s+wjCirrEJ40iConLzVcwAWD6oksCkiLQ2Omx4V5PC7Uq9tKv/y8h2YWAylFHFj+0C2iR9L4mbGw== + pgusername: AgAVLwmiMnMY+6pmAnvqg57vsR/Ut79zEuC+Chy6ogtz6hnAoX3b1wlugCt8gyx8vcvGF5MuZqqssepOkrnsMdXarkyJdgbRDWFRZLbsyPKb6af0GXHUOEeQRg/Vv/Huv11l0DYoftpkSze7BLjMV2XvlO6wGn9D0HlZN3Twoaq1b4DhpRjFkds3ElGTtzaF2ntUdNq/blWYTEuEowIoPXVsMAaUnb5NOCmYjF6oY86U3Xq+Q7c2KGKkdJsnDDqnhjINWtXWLO3DLHTkC8Ja7Q29ReLlomU9RKffh9GpcielISfSdDRnAod41T2sM5wvLabWozrWFMk6fcjqE97myiQmkbAUUfgC0AsXNx5gNp6XH4OaiKw/c0stJO3xRFV0TsVDcVZIR49kG97oXgyB02WYEsxUosxlB3llCIsaN0SsRCoMjVpdxvk8R/H6Odbt/yByQgjiDiPmST0+6pR+Z/4mQj7kWtEoerjR1YqQw+kA/ZTUtr6it9bUqjiXG10FdOcpKxv0pp3G4VKz4v6uAbVp1UZkYXbWhgkEwSH9KrydpnMWKPCygGsgHMPmVRcvFaJ3rNazZvl8XSvkBwdYuMc7CaltFxywP8VPQnSJeOk3zEUiTLcjanzjdmyQWJzmwFvM5390W7fxkCAgYkoOPjVjGPHTR7FaG+p9WHZBI/Bh7AJPcULcMxrLhYMv2DuQxDDcW6tD6/s6 + template: + metadata: + creationTimestamp: null + name: prod-db-creds + namespace: vaultwarden diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index ce5b51b..ae071ab 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -4,6 +4,7 @@ database: port: "5432" dbName: vaultwarden existingSecret: prod-db-creds + existingSecretKey: DATABASE_URL existingSecretUserKey: pgusername existingSecretPasswordKey: pgpassword ingress: From 8634436dd4d433da37be63a0191b66372db8f943 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 20:07:17 +0200 Subject: [PATCH 33/64] StatefulSet --- infra/values/upc-dev/vaultwarden-values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index ae071ab..fe679f9 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -1,3 +1,4 @@ +resourceType: StatefulSet database: type: postgresql host: vaultwarden-postgresql From 52732626e572432f147f0d221494b37a19f1b954 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 20:10:19 +0200 Subject: [PATCH 34/64] ignorediffs --- .../vaultwarden-postgresql/vaultwarden-postgresql.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/infra/overlays/upc-dev/vaultwarden-postgresql/vaultwarden-postgresql.yaml b/infra/overlays/upc-dev/vaultwarden-postgresql/vaultwarden-postgresql.yaml index 4e878f6..8a0d1d2 100644 --- a/infra/overlays/upc-dev/vaultwarden-postgresql/vaultwarden-postgresql.yaml +++ b/infra/overlays/upc-dev/vaultwarden-postgresql/vaultwarden-postgresql.yaml @@ -38,3 +38,9 @@ spec: - CreateNamespace=true - Validate=true - ServerSideApply=true + + ignoreDifferences: + - group: apps + kind: StatefulSet + jsonPointers: + - /spec/volumeClaimTemplates From 4b29c07fd6f90443bf68404307ce0b9a1faeaa88 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 20:15:37 +0200 Subject: [PATCH 35/64] secret --- infra/overlays/upc-dev/vaultwarden/kustomization.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/infra/overlays/upc-dev/vaultwarden/kustomization.yaml b/infra/overlays/upc-dev/vaultwarden/kustomization.yaml index 65b394b..01a969c 100644 --- a/infra/overlays/upc-dev/vaultwarden/kustomization.yaml +++ b/infra/overlays/upc-dev/vaultwarden/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - vaultwarden.yaml +- vaultwarden-db-secret-sealed.yaml From ac1c242fb9b32f5ca732dbb4176547a3ecdb2220 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 20:17:14 +0200 Subject: [PATCH 36/64] kust --- infra/overlays/upc-dev/vaultwarden/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/overlays/upc-dev/vaultwarden/kustomization.yaml b/infra/overlays/upc-dev/vaultwarden/kustomization.yaml index 01a969c..9b67cd0 100644 --- a/infra/overlays/upc-dev/vaultwarden/kustomization.yaml +++ b/infra/overlays/upc-dev/vaultwarden/kustomization.yaml @@ -1,5 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- vaultwarden.yaml - vaultwarden-db-secret-sealed.yaml +- vaultwarden.yaml From cb64edc927c0b2ea5d878e9e73b782418d497663 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 20:18:48 +0200 Subject: [PATCH 37/64] cleanup --- .../vaultwarden-db-secret-sealed.yaml | 9 +++++---- .../upc-dev/vaultwarden/kustomization.yaml | 1 - .../vaultwarden-db-secret-sealed.yaml | 19 ------------------- infra/values/upc-dev/vaultwarden-values.yaml | 1 + 4 files changed, 6 insertions(+), 24 deletions(-) delete mode 100644 infra/overlays/upc-dev/vaultwarden/vaultwarden-db-secret-sealed.yaml diff --git a/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml index fb0a249..d197377 100644 --- a/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml +++ b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml @@ -7,10 +7,11 @@ metadata: namespace: vaultwarden spec: encryptedData: - SMTP_PASSWORD: AgARC3vcVD2SC8GUry5SYylyiS39eKQUFAjqT4dpXQsoJX7QSLfd7Ta68BURg8Q5e2zWdzIl+nrUyBy/4TMXeHjSUhcfsH0RY2logMuTn96kV/V7YKm1Zw394hrJ3uroB7iFkf/TwiXuwFS1QvppxlpXNWVClHs+r0aW3vD2s7ViFxFqcPYGfNKlGvW2aLU6XER/TUXCffoSmHgl0wut5UaZEo+321AAaqcmk90Te/Pv4oU0SfFGn/+14zDR3VT4s6u8rgYQcSB23p2f3X3+8tCLgSLclyzSXAVfclMBYCuCtOzFjgXOQLoYfW3WW48KqsFKsoZsI/dop8L/y2P78xGJ5gYNiVcH6vEMfOr6wOTISyXqQIi3a/KZcNSY4ZZ7kH13aqru3Fpb4XAGjcmEEfWfOQ9IcPBj6Yh9pNOhxlQHPqXR9zrwx//iXdH2bsbEJ2vNHQhU9uc4t3dO1VnLO/icvMr3CFEuaB4mFDThVrPGOEi5s1YKPTHb1j8B92WSy6aNmNro0977cbbJs/linNox3rNa20kzQPfU2pdlC31vIcpMCM7vtUnx16QHyjUNe/whFqIbSG3mE19jbjIvGo0d7jhBWZYQin+m1MRv/Tv8VjzYe6FciIFX33pNTWkwkvFq+s8eQcyruWCe5hLlF361FklqXcSh1tMyqcfOScNRPxUPlWumkGPDmonULJPkmAs7eJmxKlvinrAPs8eiP7c/1SPW6FdMmxT7sq/27TII - SMTP_USERNAME: AgC1Zsv5l5Wbrq7VZC2U55+0/LQvZEbsmlxq2O5Z+Xp/admdqptEBGlLKEdIn7CmyBzvmrmWasmN4NJPJHoeLWn7SgsoULTu1UQ3W9kgcrXUJ52dwOrYLMJUxJuh+OD9HEJejfOMksc2rSM69I4NUc+NXaDSZOo+gzldWzBN7nCa778NcnMgJxVcT4gqjTIRB9EOrCo4f3ldFJzVJW7qNnxurN0UZQ51y+nj+4z2R+LvfOJ1BT5YQC+nmx80HVBMdQWK5WO4QdxCtenXfiFDNcGK3MK/Exd+kubOWse85CMt2dR0GWuIfIOp+t4XQXfb1pxhTibh/fGae9dD0RpSX1c8hobkpXaDJIYeb7ZQF5J6Zf68fgCn0YircY1hB4yF7uX5CQL1yv76M4tM9yuOn5FTJaIG6byWn/RsHZ7KPIUSd1mOce9ZqfTkKzvC/wfX45UMhPEsdXF9o67mAtOpdmBGrmeDD+7GwPwKXz3JgDovlGtzvLvMZ27+x1dpC8LrcAjcKXXGKczbs3L2Pc+tymd9dis36RvlFLEgQG32ffQu5vQXqGcoSEnlZ0l39qoU9EItkA5kp0isGiJI46hJtAdTTNr0roymvrfDyLXpAvXTQYaVMC7/8KVb2r3kIPKtnsDuU2A57ceiqtdWQgUarPn4F0O3SaCnprmTm2thgCgQOkW7BGlN3CCsVboZUIOlFr7CwTswB9ZI6tzOj2WsUOhriTfIuXv3kyrFCspo - pgpassword: AgB7F1Nvm2sjBOneDFux2mc/qni32jaq+KccTWkS7UZWWgA37owrE/XvDSOXZ0ZkrpBfhvCnsrh7/mbVnZYNWCd/GgxI2txnkp9MxW5JLpJiaZZmzznI229BgG9I08vg6ciuUS+bvRw9XJFD7SAmgeA3NaDKAHRNIhu3CFEKQJANity+pKHY1zK6gX6ubmllFtjEJg2pijM3EeSNuXdAFXZlsYIJMqFzlvQrb4MV7qeqsvW2qMeJBElMnas60l3JgeUYtsIwh6720m6FFKGXYQLm4cKbByC0M1C0/Nfwnd9j+xgIgyXharQFmgyp1qQBM+MAHxnHoHCE3V9cJqy1nCy33M16YYsZGOuAkHB9ks9I7NxGAKKjAIm5DccW7zbYINzTQKAUYIF/VhVosHv0thAHjfuH7fGzSmo9BHrLTQE3tO5RF40X2GgKFxP/R5lA+dCtR2QBNot0DaL2TEJoPc0czSYPY5y92FDOQ1j9jvcet18tkJN+bzCKwiG+BxtD0eH+tv1EAZTwvyl43xlU3E3RwWgSmOWcusMrn92fhsHwNFs9mMeeM8qeAVq4xUkatbKoijHm6q03tMgp2T6iT3EoVNLzWz+754mLQxt6serkBS8U7Mkxwpfitf64ANLaQyMF8t9Rao0c8Q/ZkIl9TEczbCPX3DvlnsoSPKDMWGB9gTzKbvvH0+Gcxxs+LZFigE7SQ20kYMlQpD8uo15ufWpMSGmFJxvto55fYgA0+wJmqe18ERy1QjxCqQYG7A== - pgusername: AgAvYmIjfz5UbstZli9gpc77rc+oAft7NYIHFrSClyV0Ugt6UU+icMMlLbU92roy7J9XUHuWoXoK5vh0y/XeF95ce1VJC0/zvMK2OXmpfERbyNvyCpwzCFtzYJ4LO7yOi8PAPstzuziqnvLt+GLCwk1enU+IWHI7G2A/qIeWEww5+Y5a4WevVrchp0Wh87PdJ88IT5EiF7qBT2ipbcSoB+Gon962nbw8+pnFedmRcUQcdOf0tQBBZOl5TUVJ6mn4WIY8u6/yOwACMlUXQ553rxXYwGKyTRjI0KbTWwpgeCJiqokyrw/RcShD6qJvZGePdq6rNmmkELOHCPo9z/WvXQIDHbuPldvcglyHuN2w4tsBcGukbmjitwS6wxYD0vp3er3FI9+0tRnD9zlkLiUpcaLi9Rrm7NPS/JP1dbGcHz7fJNXgbMZRGRx3DjV73Qnz6YHvOHT4g6BI2+9JytriRKSOJk/FlDCINgrO+6zMrbxKzBTW3+FK1cc41sJ9zClbV603wsMgtkmB1sZL4xcLmq5wOuk19uO9TsK0Xnf+ajuFUkQm42DVxtTZ9HObLnP8eygn1WiMDv3ks6W7HIpJTpc2YJVU/Pg/kTeQgBKS0JRTkzpJFPHV2UrkLTr0U6ToPYOb2SWBnPI+Lp3cTOeUsbKOylBzx4uUJGoZUL5pAorjd5tDHJhMyMm589m5J3mGMXuhXO1cWg80 + DATABASE_URL: AgCsu5gQQOJm3/dr4Wvy1KJMUmP5PRAh29fV+s/8SHhFZg4TajdgXskcY3NorJbF0DB5yOY8EPOwz9FZ3glkoBgfjkHWzZveUdoLab5uv7B7FxwWNgYK6qbOlU/Ol3AYCCqF95etVPANtlOLdhF4Amo0rMstBu/0i2cuqT2PyPp2K8L7gJH2UE1BSYlXYn9u/jSe9GGeBCcile1rmEQ6h8I3Wu2XyW/+asa98AsaERKRiAcuheRZ/wyzs0V70fAKghENvAVeOQLmch0wfZaQBrhBxsE+WHNUKT0wovo20rWtC1Ro/vGnXhvu5QWck2ATH2Y9dbELRQlTijMwpUOkYPp+u7k8X3CLyem3ubXGnU6RJBx0/duDmhzrMjGS6g7c+tiMjkwnsjr2OogykByrJ1459xwBmZQgu6wmraJyjD8SVTboJWLlBrbqP5eWUCp/ZO8uh24L3yRdqrnnSGsP9O90svtjZ3z61CUvcqw0tBjvIrWsjtopzXVI2O0RPcXWEJ6300ICtm0N3jCL84pOjLHIz5vhVMdRNmg/W3qd1mTqsf/796Ve8smMB0we4ig5Gqj4gfeMmdhWToUTnilHFbjYEgim+Ax3e1hXZ2WghpJ2Wt4WYWmeDBtkScLvAc+FdZY/QlwvgpuksnqnzzymipPBAVAnR+MEHKiTssTe4QctO4cmYG0bk83RUDGzOMf6ARWMdmagLwqssoJjlPY5ch5yjeJ8gxK7E4OAUNeaKY8xWHHUFL7mVAsbTb0Jl1gPkV8aM5b3OQhUNRbylV/pEfACEBxcxG46o+a+8RJhseGdX84rg1MU7mTaaYPhmZY0It1NyopUs3784aY= + SMTP_PASSWORD: AgCnc5MeGt1FaUfZoWOk4SiNxYnP8ewIzWiYQQdNea3GX77Xu+n5MJd60bszPWA5VMWdMqfKEca5NzOjwdEBhkJYlP6kofrHgQSw2CTxXLRRo9f7M4tEcd6LqXBNQdHGGs3bc9BjYbD/8fEyhbWj7kfdcIpdHtUwzLvxBM+4G4r21nUFcBd+HZk3iYbfv9O4NdwhhyGHFt2LRMW479VDkk61iD0PEXih70UfQPqildOW0XeoBXwXwuDxO8RTSGyQWcHeSsly/Nvya6Sl2N1nZjWCQdyTRZSmkO6LYk5qsm2NQwCAYlHk8SRKQ9KKhecAkMyghvZ0uL5kmvSLjA1AUrSLn+rpPFWD32W0B2DEABDcMVWAuHtJiO08M5CYGdEc8wAijvSNBDyjXQCg4fj25Ob+ppVsBnF5qnIblE24l1Owu/b4OvGzWtKCga9wQZqakFHLfYCHN8hw4zsw2ih/gGKdxfAGYZnGsW/XlQfLvj8U+ESn+VNEE9QCVaU2RB/gO3j+MdltpoFb/hXflD7ogPGDNcSkoZRNuH0wwBql/k2h3SK0pim6jlIwOVdkYbbSegWO+mRLIfNWi6Ugf8afLzt/ZxGjZiID/5X0LbKWz90gGyyifi3ltn40H8QK0g0GYkToQ+UYgKHAeBZsAcXB0/SPWtu7vlrM4XTjs/MWafUxbc4vX9LAnZpMgB5SidhoZ87R0nAQ1SaNvlaoeW0AP4MuuO1w138NSTUQC5iRIo5E + SMTP_USERNAME: AgC8e1LvOFlT8xvh2KkjqbaIzkZaBDGWvI74mxQcH3ETuT1QSohN5EV2Eo205xi+L/7F+zdqxWhBfL4X5+BoPh8gKhoJc3AQiNXWLVmiRD5BZj7qHxXlk1IByHEl2HCwhD7C0XYR2I8e/x/suMorv3MqrURu/Ed5I8tNKtC/Cf+QaoJ9Ek6ZweUNXjUy1ziek7ht6W45d6xKWmGksNaEktbVS1Z3Jf87z6TlzMg/gvPKDhMenK0Xwvh7AGkqLHd4napppPRrQWLk9DELCbDzyyZZlTUX6xMt/DeO4k38aYY/YtCzT+Oky47x9yuViGMfZYbjGKE51zAo1FmOWrg268QZaVxuLUy5Dffq0BFy4NnEYUZILE7DEk9g5jfemAMDYOqS2ZEUCTGPH4M2s/cHvJCape88drQVTYY7V87ICbJfvs3Q//vt8rjliWvFv++D8W93u/JuCdihMJwAcGaApd/Cc5psmABSYc36FdKOj6wZYPvMHdZip91Hel8Apw7Hr9JVkL8XJG3o870QqCSP8m7fJzB0HgSBpm+B2jXxckFRnQx0Pr6x/W8P96eko2IEPlvGw2lZ/clQr+G28f+Ck/TwLn67m/vpCePZkgtU7a9QSNJb+sL4Swaq2vj0fn2RrRpEHNoYtnklHu2ALgi+YcmSgcwGPKXWjB304OWiLOcBEjY8bcWauEZK511BvVqYfs1DaJ4uPbn6YHguDiyow7Cf/+12B8ZGFuDrQVm2 + pgpassword: AgArqTrW04RdUa7x6u/yzMCcpJC3Hx4J9o0gM7D5ftrpjZ/yv7A/2fZvIdJSk3LLDlUoOaT/yXNKNnV9R0GAMXT5daVAl23+5qkIbZC5LsPVI0RlCKQ1oXBXb64jmGTNXrOz+kV7MT9N+eDAYd5D2oxAlZUE7gJ3UiYVdFxUTYmtbtdPJcrAdpoZ3aq8L4Inpz4jb8nfm4zvlvbk+pWY2uiQPDpORqcW9BhroIruYGNOTRSZmXQjSCA1BOutZ0iACzN2jPnzvjuQUUksgo50fd3wsvneVjT+ZwvXHiBwoUuAWT0hhJQYRkM5JMOmSNRkSksxXMoLfwDzunRFlfi5Nd19V2aleio88RfdrQ/j6AIAevY+S3NW72/UEcQZseUbpMgbomlDJn3hBAqqOzf85B/y2y9y7euFrRGYC3y5aUGvdQOCqGjM3PXZctN1D7ncPpxq6VK1zoo/PYbpyv+oga7y3wNz0nNRzmTdfynP48ftXIXAyEx6N0fE1BhqhOhJIxVdPM1lh8LqHtbD2IraIZ1CMVZi1dYYzxeaPItzM5Wc5xkIgdX3NK4LO1H2O6u9klSJwgJycAZtxKEQz8YeYIT9ETTN1FzKNAZgUoD/ZvaeXvkwI4NuLKebVwtRuk/5w1JxWqb8EvQx96C/QJfzbwfEGbtt44eCWqhlffp/yiLHhvGst6s+wjCirrEJ40iConLzVcwAWD6oksCkiLQ2Omx4V5PC7Uq9tKv/y8h2YWAylFHFj+0C2iR9L4mbGw== + pgusername: AgAVLwmiMnMY+6pmAnvqg57vsR/Ut79zEuC+Chy6ogtz6hnAoX3b1wlugCt8gyx8vcvGF5MuZqqssepOkrnsMdXarkyJdgbRDWFRZLbsyPKb6af0GXHUOEeQRg/Vv/Huv11l0DYoftpkSze7BLjMV2XvlO6wGn9D0HlZN3Twoaq1b4DhpRjFkds3ElGTtzaF2ntUdNq/blWYTEuEowIoPXVsMAaUnb5NOCmYjF6oY86U3Xq+Q7c2KGKkdJsnDDqnhjINWtXWLO3DLHTkC8Ja7Q29ReLlomU9RKffh9GpcielISfSdDRnAod41T2sM5wvLabWozrWFMk6fcjqE97myiQmkbAUUfgC0AsXNx5gNp6XH4OaiKw/c0stJO3xRFV0TsVDcVZIR49kG97oXgyB02WYEsxUosxlB3llCIsaN0SsRCoMjVpdxvk8R/H6Odbt/yByQgjiDiPmST0+6pR+Z/4mQj7kWtEoerjR1YqQw+kA/ZTUtr6it9bUqjiXG10FdOcpKxv0pp3G4VKz4v6uAbVp1UZkYXbWhgkEwSH9KrydpnMWKPCygGsgHMPmVRcvFaJ3rNazZvl8XSvkBwdYuMc7CaltFxywP8VPQnSJeOk3zEUiTLcjanzjdmyQWJzmwFvM5390W7fxkCAgYkoOPjVjGPHTR7FaG+p9WHZBI/Bh7AJPcULcMxrLhYMv2DuQxDDcW6tD6/s6 template: metadata: creationTimestamp: null diff --git a/infra/overlays/upc-dev/vaultwarden/kustomization.yaml b/infra/overlays/upc-dev/vaultwarden/kustomization.yaml index 9b67cd0..65b394b 100644 --- a/infra/overlays/upc-dev/vaultwarden/kustomization.yaml +++ b/infra/overlays/upc-dev/vaultwarden/kustomization.yaml @@ -1,5 +1,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- vaultwarden-db-secret-sealed.yaml - vaultwarden.yaml diff --git a/infra/overlays/upc-dev/vaultwarden/vaultwarden-db-secret-sealed.yaml b/infra/overlays/upc-dev/vaultwarden/vaultwarden-db-secret-sealed.yaml deleted file mode 100644 index d197377..0000000 --- a/infra/overlays/upc-dev/vaultwarden/vaultwarden-db-secret-sealed.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - creationTimestamp: null - name: prod-db-creds - namespace: vaultwarden -spec: - encryptedData: - DATABASE_URL: AgCsu5gQQOJm3/dr4Wvy1KJMUmP5PRAh29fV+s/8SHhFZg4TajdgXskcY3NorJbF0DB5yOY8EPOwz9FZ3glkoBgfjkHWzZveUdoLab5uv7B7FxwWNgYK6qbOlU/Ol3AYCCqF95etVPANtlOLdhF4Amo0rMstBu/0i2cuqT2PyPp2K8L7gJH2UE1BSYlXYn9u/jSe9GGeBCcile1rmEQ6h8I3Wu2XyW/+asa98AsaERKRiAcuheRZ/wyzs0V70fAKghENvAVeOQLmch0wfZaQBrhBxsE+WHNUKT0wovo20rWtC1Ro/vGnXhvu5QWck2ATH2Y9dbELRQlTijMwpUOkYPp+u7k8X3CLyem3ubXGnU6RJBx0/duDmhzrMjGS6g7c+tiMjkwnsjr2OogykByrJ1459xwBmZQgu6wmraJyjD8SVTboJWLlBrbqP5eWUCp/ZO8uh24L3yRdqrnnSGsP9O90svtjZ3z61CUvcqw0tBjvIrWsjtopzXVI2O0RPcXWEJ6300ICtm0N3jCL84pOjLHIz5vhVMdRNmg/W3qd1mTqsf/796Ve8smMB0we4ig5Gqj4gfeMmdhWToUTnilHFbjYEgim+Ax3e1hXZ2WghpJ2Wt4WYWmeDBtkScLvAc+FdZY/QlwvgpuksnqnzzymipPBAVAnR+MEHKiTssTe4QctO4cmYG0bk83RUDGzOMf6ARWMdmagLwqssoJjlPY5ch5yjeJ8gxK7E4OAUNeaKY8xWHHUFL7mVAsbTb0Jl1gPkV8aM5b3OQhUNRbylV/pEfACEBxcxG46o+a+8RJhseGdX84rg1MU7mTaaYPhmZY0It1NyopUs3784aY= - SMTP_PASSWORD: AgCnc5MeGt1FaUfZoWOk4SiNxYnP8ewIzWiYQQdNea3GX77Xu+n5MJd60bszPWA5VMWdMqfKEca5NzOjwdEBhkJYlP6kofrHgQSw2CTxXLRRo9f7M4tEcd6LqXBNQdHGGs3bc9BjYbD/8fEyhbWj7kfdcIpdHtUwzLvxBM+4G4r21nUFcBd+HZk3iYbfv9O4NdwhhyGHFt2LRMW479VDkk61iD0PEXih70UfQPqildOW0XeoBXwXwuDxO8RTSGyQWcHeSsly/Nvya6Sl2N1nZjWCQdyTRZSmkO6LYk5qsm2NQwCAYlHk8SRKQ9KKhecAkMyghvZ0uL5kmvSLjA1AUrSLn+rpPFWD32W0B2DEABDcMVWAuHtJiO08M5CYGdEc8wAijvSNBDyjXQCg4fj25Ob+ppVsBnF5qnIblE24l1Owu/b4OvGzWtKCga9wQZqakFHLfYCHN8hw4zsw2ih/gGKdxfAGYZnGsW/XlQfLvj8U+ESn+VNEE9QCVaU2RB/gO3j+MdltpoFb/hXflD7ogPGDNcSkoZRNuH0wwBql/k2h3SK0pim6jlIwOVdkYbbSegWO+mRLIfNWi6Ugf8afLzt/ZxGjZiID/5X0LbKWz90gGyyifi3ltn40H8QK0g0GYkToQ+UYgKHAeBZsAcXB0/SPWtu7vlrM4XTjs/MWafUxbc4vX9LAnZpMgB5SidhoZ87R0nAQ1SaNvlaoeW0AP4MuuO1w138NSTUQC5iRIo5E - SMTP_USERNAME: AgC8e1LvOFlT8xvh2KkjqbaIzkZaBDGWvI74mxQcH3ETuT1QSohN5EV2Eo205xi+L/7F+zdqxWhBfL4X5+BoPh8gKhoJc3AQiNXWLVmiRD5BZj7qHxXlk1IByHEl2HCwhD7C0XYR2I8e/x/suMorv3MqrURu/Ed5I8tNKtC/Cf+QaoJ9Ek6ZweUNXjUy1ziek7ht6W45d6xKWmGksNaEktbVS1Z3Jf87z6TlzMg/gvPKDhMenK0Xwvh7AGkqLHd4napppPRrQWLk9DELCbDzyyZZlTUX6xMt/DeO4k38aYY/YtCzT+Oky47x9yuViGMfZYbjGKE51zAo1FmOWrg268QZaVxuLUy5Dffq0BFy4NnEYUZILE7DEk9g5jfemAMDYOqS2ZEUCTGPH4M2s/cHvJCape88drQVTYY7V87ICbJfvs3Q//vt8rjliWvFv++D8W93u/JuCdihMJwAcGaApd/Cc5psmABSYc36FdKOj6wZYPvMHdZip91Hel8Apw7Hr9JVkL8XJG3o870QqCSP8m7fJzB0HgSBpm+B2jXxckFRnQx0Pr6x/W8P96eko2IEPlvGw2lZ/clQr+G28f+Ck/TwLn67m/vpCePZkgtU7a9QSNJb+sL4Swaq2vj0fn2RrRpEHNoYtnklHu2ALgi+YcmSgcwGPKXWjB304OWiLOcBEjY8bcWauEZK511BvVqYfs1DaJ4uPbn6YHguDiyow7Cf/+12B8ZGFuDrQVm2 - pgpassword: AgArqTrW04RdUa7x6u/yzMCcpJC3Hx4J9o0gM7D5ftrpjZ/yv7A/2fZvIdJSk3LLDlUoOaT/yXNKNnV9R0GAMXT5daVAl23+5qkIbZC5LsPVI0RlCKQ1oXBXb64jmGTNXrOz+kV7MT9N+eDAYd5D2oxAlZUE7gJ3UiYVdFxUTYmtbtdPJcrAdpoZ3aq8L4Inpz4jb8nfm4zvlvbk+pWY2uiQPDpORqcW9BhroIruYGNOTRSZmXQjSCA1BOutZ0iACzN2jPnzvjuQUUksgo50fd3wsvneVjT+ZwvXHiBwoUuAWT0hhJQYRkM5JMOmSNRkSksxXMoLfwDzunRFlfi5Nd19V2aleio88RfdrQ/j6AIAevY+S3NW72/UEcQZseUbpMgbomlDJn3hBAqqOzf85B/y2y9y7euFrRGYC3y5aUGvdQOCqGjM3PXZctN1D7ncPpxq6VK1zoo/PYbpyv+oga7y3wNz0nNRzmTdfynP48ftXIXAyEx6N0fE1BhqhOhJIxVdPM1lh8LqHtbD2IraIZ1CMVZi1dYYzxeaPItzM5Wc5xkIgdX3NK4LO1H2O6u9klSJwgJycAZtxKEQz8YeYIT9ETTN1FzKNAZgUoD/ZvaeXvkwI4NuLKebVwtRuk/5w1JxWqb8EvQx96C/QJfzbwfEGbtt44eCWqhlffp/yiLHhvGst6s+wjCirrEJ40iConLzVcwAWD6oksCkiLQ2Omx4V5PC7Uq9tKv/y8h2YWAylFHFj+0C2iR9L4mbGw== - pgusername: AgAVLwmiMnMY+6pmAnvqg57vsR/Ut79zEuC+Chy6ogtz6hnAoX3b1wlugCt8gyx8vcvGF5MuZqqssepOkrnsMdXarkyJdgbRDWFRZLbsyPKb6af0GXHUOEeQRg/Vv/Huv11l0DYoftpkSze7BLjMV2XvlO6wGn9D0HlZN3Twoaq1b4DhpRjFkds3ElGTtzaF2ntUdNq/blWYTEuEowIoPXVsMAaUnb5NOCmYjF6oY86U3Xq+Q7c2KGKkdJsnDDqnhjINWtXWLO3DLHTkC8Ja7Q29ReLlomU9RKffh9GpcielISfSdDRnAod41T2sM5wvLabWozrWFMk6fcjqE97myiQmkbAUUfgC0AsXNx5gNp6XH4OaiKw/c0stJO3xRFV0TsVDcVZIR49kG97oXgyB02WYEsxUosxlB3llCIsaN0SsRCoMjVpdxvk8R/H6Odbt/yByQgjiDiPmST0+6pR+Z/4mQj7kWtEoerjR1YqQw+kA/ZTUtr6it9bUqjiXG10FdOcpKxv0pp3G4VKz4v6uAbVp1UZkYXbWhgkEwSH9KrydpnMWKPCygGsgHMPmVRcvFaJ3rNazZvl8XSvkBwdYuMc7CaltFxywP8VPQnSJeOk3zEUiTLcjanzjdmyQWJzmwFvM5390W7fxkCAgYkoOPjVjGPHTR7FaG+p9WHZBI/Bh7AJPcULcMxrLhYMv2DuQxDDcW6tD6/s6 - template: - metadata: - creationTimestamp: null - name: prod-db-creds - namespace: vaultwarden diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index fe679f9..dd39ea5 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -1,3 +1,4 @@ +signupsAllowed: false resourceType: StatefulSet database: type: postgresql From a9625f96e6344b80308915db2095b12caca2bf50 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 20:23:58 +0200 Subject: [PATCH 38/64] db secrets --- .../resources/vaultwarden-db-secret-sealed.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml index d197377..4b894ec 100644 --- a/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml +++ b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml @@ -7,11 +7,11 @@ metadata: namespace: vaultwarden spec: encryptedData: - DATABASE_URL: AgCsu5gQQOJm3/dr4Wvy1KJMUmP5PRAh29fV+s/8SHhFZg4TajdgXskcY3NorJbF0DB5yOY8EPOwz9FZ3glkoBgfjkHWzZveUdoLab5uv7B7FxwWNgYK6qbOlU/Ol3AYCCqF95etVPANtlOLdhF4Amo0rMstBu/0i2cuqT2PyPp2K8L7gJH2UE1BSYlXYn9u/jSe9GGeBCcile1rmEQ6h8I3Wu2XyW/+asa98AsaERKRiAcuheRZ/wyzs0V70fAKghENvAVeOQLmch0wfZaQBrhBxsE+WHNUKT0wovo20rWtC1Ro/vGnXhvu5QWck2ATH2Y9dbELRQlTijMwpUOkYPp+u7k8X3CLyem3ubXGnU6RJBx0/duDmhzrMjGS6g7c+tiMjkwnsjr2OogykByrJ1459xwBmZQgu6wmraJyjD8SVTboJWLlBrbqP5eWUCp/ZO8uh24L3yRdqrnnSGsP9O90svtjZ3z61CUvcqw0tBjvIrWsjtopzXVI2O0RPcXWEJ6300ICtm0N3jCL84pOjLHIz5vhVMdRNmg/W3qd1mTqsf/796Ve8smMB0we4ig5Gqj4gfeMmdhWToUTnilHFbjYEgim+Ax3e1hXZ2WghpJ2Wt4WYWmeDBtkScLvAc+FdZY/QlwvgpuksnqnzzymipPBAVAnR+MEHKiTssTe4QctO4cmYG0bk83RUDGzOMf6ARWMdmagLwqssoJjlPY5ch5yjeJ8gxK7E4OAUNeaKY8xWHHUFL7mVAsbTb0Jl1gPkV8aM5b3OQhUNRbylV/pEfACEBxcxG46o+a+8RJhseGdX84rg1MU7mTaaYPhmZY0It1NyopUs3784aY= - SMTP_PASSWORD: AgCnc5MeGt1FaUfZoWOk4SiNxYnP8ewIzWiYQQdNea3GX77Xu+n5MJd60bszPWA5VMWdMqfKEca5NzOjwdEBhkJYlP6kofrHgQSw2CTxXLRRo9f7M4tEcd6LqXBNQdHGGs3bc9BjYbD/8fEyhbWj7kfdcIpdHtUwzLvxBM+4G4r21nUFcBd+HZk3iYbfv9O4NdwhhyGHFt2LRMW479VDkk61iD0PEXih70UfQPqildOW0XeoBXwXwuDxO8RTSGyQWcHeSsly/Nvya6Sl2N1nZjWCQdyTRZSmkO6LYk5qsm2NQwCAYlHk8SRKQ9KKhecAkMyghvZ0uL5kmvSLjA1AUrSLn+rpPFWD32W0B2DEABDcMVWAuHtJiO08M5CYGdEc8wAijvSNBDyjXQCg4fj25Ob+ppVsBnF5qnIblE24l1Owu/b4OvGzWtKCga9wQZqakFHLfYCHN8hw4zsw2ih/gGKdxfAGYZnGsW/XlQfLvj8U+ESn+VNEE9QCVaU2RB/gO3j+MdltpoFb/hXflD7ogPGDNcSkoZRNuH0wwBql/k2h3SK0pim6jlIwOVdkYbbSegWO+mRLIfNWi6Ugf8afLzt/ZxGjZiID/5X0LbKWz90gGyyifi3ltn40H8QK0g0GYkToQ+UYgKHAeBZsAcXB0/SPWtu7vlrM4XTjs/MWafUxbc4vX9LAnZpMgB5SidhoZ87R0nAQ1SaNvlaoeW0AP4MuuO1w138NSTUQC5iRIo5E - SMTP_USERNAME: AgC8e1LvOFlT8xvh2KkjqbaIzkZaBDGWvI74mxQcH3ETuT1QSohN5EV2Eo205xi+L/7F+zdqxWhBfL4X5+BoPh8gKhoJc3AQiNXWLVmiRD5BZj7qHxXlk1IByHEl2HCwhD7C0XYR2I8e/x/suMorv3MqrURu/Ed5I8tNKtC/Cf+QaoJ9Ek6ZweUNXjUy1ziek7ht6W45d6xKWmGksNaEktbVS1Z3Jf87z6TlzMg/gvPKDhMenK0Xwvh7AGkqLHd4napppPRrQWLk9DELCbDzyyZZlTUX6xMt/DeO4k38aYY/YtCzT+Oky47x9yuViGMfZYbjGKE51zAo1FmOWrg268QZaVxuLUy5Dffq0BFy4NnEYUZILE7DEk9g5jfemAMDYOqS2ZEUCTGPH4M2s/cHvJCape88drQVTYY7V87ICbJfvs3Q//vt8rjliWvFv++D8W93u/JuCdihMJwAcGaApd/Cc5psmABSYc36FdKOj6wZYPvMHdZip91Hel8Apw7Hr9JVkL8XJG3o870QqCSP8m7fJzB0HgSBpm+B2jXxckFRnQx0Pr6x/W8P96eko2IEPlvGw2lZ/clQr+G28f+Ck/TwLn67m/vpCePZkgtU7a9QSNJb+sL4Swaq2vj0fn2RrRpEHNoYtnklHu2ALgi+YcmSgcwGPKXWjB304OWiLOcBEjY8bcWauEZK511BvVqYfs1DaJ4uPbn6YHguDiyow7Cf/+12B8ZGFuDrQVm2 - pgpassword: AgArqTrW04RdUa7x6u/yzMCcpJC3Hx4J9o0gM7D5ftrpjZ/yv7A/2fZvIdJSk3LLDlUoOaT/yXNKNnV9R0GAMXT5daVAl23+5qkIbZC5LsPVI0RlCKQ1oXBXb64jmGTNXrOz+kV7MT9N+eDAYd5D2oxAlZUE7gJ3UiYVdFxUTYmtbtdPJcrAdpoZ3aq8L4Inpz4jb8nfm4zvlvbk+pWY2uiQPDpORqcW9BhroIruYGNOTRSZmXQjSCA1BOutZ0iACzN2jPnzvjuQUUksgo50fd3wsvneVjT+ZwvXHiBwoUuAWT0hhJQYRkM5JMOmSNRkSksxXMoLfwDzunRFlfi5Nd19V2aleio88RfdrQ/j6AIAevY+S3NW72/UEcQZseUbpMgbomlDJn3hBAqqOzf85B/y2y9y7euFrRGYC3y5aUGvdQOCqGjM3PXZctN1D7ncPpxq6VK1zoo/PYbpyv+oga7y3wNz0nNRzmTdfynP48ftXIXAyEx6N0fE1BhqhOhJIxVdPM1lh8LqHtbD2IraIZ1CMVZi1dYYzxeaPItzM5Wc5xkIgdX3NK4LO1H2O6u9klSJwgJycAZtxKEQz8YeYIT9ETTN1FzKNAZgUoD/ZvaeXvkwI4NuLKebVwtRuk/5w1JxWqb8EvQx96C/QJfzbwfEGbtt44eCWqhlffp/yiLHhvGst6s+wjCirrEJ40iConLzVcwAWD6oksCkiLQ2Omx4V5PC7Uq9tKv/y8h2YWAylFHFj+0C2iR9L4mbGw== - pgusername: AgAVLwmiMnMY+6pmAnvqg57vsR/Ut79zEuC+Chy6ogtz6hnAoX3b1wlugCt8gyx8vcvGF5MuZqqssepOkrnsMdXarkyJdgbRDWFRZLbsyPKb6af0GXHUOEeQRg/Vv/Huv11l0DYoftpkSze7BLjMV2XvlO6wGn9D0HlZN3Twoaq1b4DhpRjFkds3ElGTtzaF2ntUdNq/blWYTEuEowIoPXVsMAaUnb5NOCmYjF6oY86U3Xq+Q7c2KGKkdJsnDDqnhjINWtXWLO3DLHTkC8Ja7Q29ReLlomU9RKffh9GpcielISfSdDRnAod41T2sM5wvLabWozrWFMk6fcjqE97myiQmkbAUUfgC0AsXNx5gNp6XH4OaiKw/c0stJO3xRFV0TsVDcVZIR49kG97oXgyB02WYEsxUosxlB3llCIsaN0SsRCoMjVpdxvk8R/H6Odbt/yByQgjiDiPmST0+6pR+Z/4mQj7kWtEoerjR1YqQw+kA/ZTUtr6it9bUqjiXG10FdOcpKxv0pp3G4VKz4v6uAbVp1UZkYXbWhgkEwSH9KrydpnMWKPCygGsgHMPmVRcvFaJ3rNazZvl8XSvkBwdYuMc7CaltFxywP8VPQnSJeOk3zEUiTLcjanzjdmyQWJzmwFvM5390W7fxkCAgYkoOPjVjGPHTR7FaG+p9WHZBI/Bh7AJPcULcMxrLhYMv2DuQxDDcW6tD6/s6 + DATABASE_URL: AgAGXATvNGOtvF4Yf0QM4C4to0hs2XK53nRd1X3mnYQUYjZNRPT86L0WKGLnZv+rCAYEBYFFqryCjDQsesvM1hzrXlgmQREGYMbiBA144xKSPmlzL89LHH5q/TqE/Gm6kJEnIXLqQZuwi2d786PioI+LTYfJZDD54YkJc5V93CifJmYdXYSvikb09UwRdIxj1yfArrGGYzcSHCyfqlwpW6kX4Nc0aOyVRbcrzdcFL+WI9EW5EqoIQFuQ6M+q8YdzV6+C2rSHkmaL4gSWMAfcxo8c8k+hDPoh0cxSJ0/m5uYm09KMP/MOQnwori3u8//XEta6p//IiRpZcBm1h+yhJgtmoPswTRAlZc960AiW8caGcVW+ogP84r43he3GkwvrY/JCaf7NqkfUZHQXfpP6YKNSFxQFDjiogzor7pXkvMce5+JqKeDP6RUcviOoT3LXpKbT2nk4Ow/V/P13PBSK8SesS2ZRIUYWiaBtkryKCl5CLGOT59bevfnYsEWHBf+aPpt4FWLFFTCFCOCSUBMs4RUv7MZTAg/vAED3R9jmbGsTbXDsRRJq0+2t4ddE/wnAVJ4Y8/BAesWdGt+ctAo7f9mzp2CLaymPPgdMGNu4PZvc9hZcbelkFIMyjRKltekO5Rta8/zHJUC3iAs4KMkttIYb4bPyTghdCP+qwARsihgbGS+B4RGQXCu23w9ie2Wcv1VhzAfvg4MZwryLvzTzrEDIumCcTGPQiXjiZRl+aHIL46EIyY8Jh1Zj+4GwRyaPs+HfAXayh6UWmC4qOToPlZVw9saVjK4XmGNcgF5b7gz677qHhzOJH/vPO/uMld/yXTkvxeQtbjEk6Ss= + SMTP_PASSWORD: AgAtIr/FR46AO/UfvSt4PxK0yZpHGLSjKhXBU7vlH7MefzIJIKE8+fLB3S243W1gcU3izmE9igtiIwbf0ab7Kg3i2s3gbF9FJwFOFL+046Yds78RhwKahy7HhVi/0Gqq3+CRnNRc/c4N/aOSSH1mvNsPZwu1zqy3+EYAAtvN8IEO24abq9QNbb5iYvMlbHZuHKYbPJQycOZ/xn8ncJUeW63MmoygwmI3/C4vx2cnB+YUGJAJPqQtKY6rBZ4+r3fAyrPjB4aWQwZX0pGPuK1odVN32MWV/9dFe+Puhw5WIULIxffZXCNa5ba6UEUpwxH3k/iztaG5xFbfHMWmWfAjDuJE5VThpg5H5yLr6jZXnvx0GtbdGNvrDbC3H9ubinN/th8ucXOcXBbWGPKQ7EvLdrzjD/CPr3kaN+O6LWCeiw7wpnOGL2iUygmzZXCzp9TjAM7PjNHhoPml2cFu6f3iaz5rVmRAzUccx9WAK9/GmQ191pWmambw1Dg5aYiO8GhwJiXTB/vqt6ItQdr8eUi83y/8MNSDMbMBb6jfBp+NyULLURKrgpQckfna5sp4Af4AgjtYUTb2L/pmVpEP04DKYdFPkZaTsvUTniUIK5m+ijWwCqvwgSFmYa1kxY8aAyEKiTHNjXxzRwBDrRcUABEFGgf4dSE4wQTbAPzm7KxD3PIN+Wuwks1dGxuhf/d5xk/IeJePiNFp36JSey7E+JW78eYPmS/inUYiWm4tp+DaEiY4 + SMTP_USERNAME: AgBQOI1epWjDxmk3MfiNud7NbD9v0y6PZ1uwBLOKymRkbEDsXlFLSq4kwqydInWmI+rudRIE3IWyEhKl/iXpSDeVyejAWRxJuy9zrK9d1OewPw0UIMz1sRhG5Gc6JtTaZLyvXAXg67n6u+eTaPHUDpFJI7X1uE2+LqJJjXKV0mkQzOiagG0TYHHCcmK1uTG3vZPxMtGwVLW+HGHuntzS+IKDyaemgYl/TewITYlXMIrLZnaBDy+IGzk67t43MJcQcGJ9DQSrkNkm7XlpCJ7EjUJ+BqSlDZFfyXImRvutMO4aXolJY83PG/gFDwqe1as/E6DO8Hcg0XiKP281q6BxScrK1AfZ7qLZsIEYAVLW5Ni+BcV4EFDnnJxAUM4QB1WR9xzNyGxirtGOfbo9XcbxaY2TPHoiG3qzssRjksE8+nUDyz2JO57fAdmeU6jveIEeRzBLscrdSY0My4gyg15RLo+jySUqAOhvIMDAKAWy4I6t+J0y2N+H7xxmnXHI8+FW+gK77uCGjwCoJ8YtLpOHna7bNWVdKxesOEnKnioHPrPFrt9rueMioF04ioedOTtlYobJr66kprPgoLzNyiop5Mbd+4CJB4/o4QH1XGYMtuqHF1ZwUhCJ7KG3yav1ZI0dgBC+D2r9BKCkPTyMh4scQUj7ge+jtj/ANxsxHyvb+MhOzTQ8TEfJ2RN9SkuC4gU4tsFLC6LtH6JMwnTF9Qgzz+CPmzbJpXUifBVNhuWA + pgpassword: AgC2VJvvlC/I3ORt3lP5NPdcI/Rdj+sPrQnvn2Vq+0B5Y8RGXdifcV6Okr5b0Y5UmM696yaloIcLuOjTuAowJ1rxo1T1p/RbONNIZe2vOMoFpV3M5EeNY8roZYDVlcH9RbYRzQM6+jIGVSGbEi23LBlpYtA6BpRI8lh07UglUssgahV02ufjXuo0shd/P/W8zcaIXo75A+PqxsoSLJm8M/WHSWx4cm5T6Rrcm+OEN82nZK249hrOJO3um7EBnxov3Splrqzc+E/4r7e9P/FwseKMs7Zw/7UU7JFpwkHv20lTmjaxH2Vtf9EKqoAHVlMMqVErrZbHc6JZNzxe+p+7PPPNAx388FyGHVnr3nJZh+UW1rzRQ7fe9qBIKdlVlPjbeXb3WsqLgAAWyPhZdIiO+DNK0RUBkXXLc9v59yjMKLzeMmEGZ08CKTBQs2IUVSE7NJ+qNk9N5vtAtU5KvNLQXbNsW/0lfm1z/JQPDr1655vLYXCuSCUZGIgguV70kUl1CqEjgkHUFTAph0H5ioPzY12qMRdzVb0kNIM5xvR7UjgHBpgqgXm9AfK5OKVEJyuw0U0c2Yf8nw6JIysV0l5jFQcv5QYQfQaZ4lbECQ1NIYBR5UXwhTHrShtO2SqVKgRe/5St/D7M0izBvvj4nj5eJol8wM5n2iysL6RbCfBSS3/mHoCA2NokFMWUIicUErxnraO6kvElst35ytVU1/+7hv5oD8kQccy5yecJ18xKF3o0a7qx4Cf7Hmc/hvZHkg== + pgusername: AgC5bS26yRB4EJJGVbRD4RumKog5w4E+LNFTlJnIZ/2P1gT1+24fH7UG6aSjWEC+qyiwjhxPfgpRkI+T8yQX8ngbUY/4BI8NwqzHF5sHo8SmoVeYG4XHINNHS/uvQTjI6xlFmk4NXDqP3uY0Xi6xh8Q3UvuesfcNMcmGbnoX9rldJuM+JdV8UNIP7ah5fDpcxV3xTQJ6Iu7z3oTwy0rPDl4yVXTONR/dUwLkijlth873o6rx+tJyib7uRX9ZdUU0bMURGwpSvwFKeRLtFaO+a6WckgFgkc9MTtJaZDqOiCAdy/TZ5MmbUYUy0URp0cGdw4FgWu8w06U2uptER+R63EPzUB/uyyFFCyNANsJOCkv32eFta9AeUN89aG3ICikSeDSmev0Lupgi2bB54JqGUfe8Zd4RAMLYqkG101qJ9+jl7G4iD/kzTy/GYanqcB4+zppIR7AmxKbx9BLBq60wvzOlMCTRTeezLwT8NXnLa4WSNwLDs3q/nfKfOasI1hBpo0itOzTcmwWUFUMIux204dUWX3JUeKjeyeGgP7YfuJu5d3bvLiMwTU3WUBjajNs+JIwh5s4CAFhycg4KQSGpSog5Cjkk+QvkCQhwZivLjN3nQnBT3trS8dj9lrCXbw5uLLK/CmQsgqdMWNCbXo9BAfUO481HmQFCddc0uvm9o3gkH4beNYY1nPqkhrtIaJnYmgcEbYr2kPMO template: metadata: creationTimestamp: null From ad661ba3dd4c0df105517f3b2da6758df7602fbe Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 20:27:36 +0200 Subject: [PATCH 39/64] allow signup --- infra/values/upc-dev/vaultwarden-values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index dd39ea5..82b1651 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -1,4 +1,4 @@ -signupsAllowed: false +signupsAllowed: true resourceType: StatefulSet database: type: postgresql From c37bd3ef04f3b655f84882c2c505c6ee4d5d4fbf Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 20:30:32 +0200 Subject: [PATCH 40/64] from --- infra/values/upc-dev/vaultwarden-values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index 82b1651..ba2dd3a 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -17,7 +17,7 @@ ingress: hostname: bitwarden.forteapps.net additionalAnnotations: cert-manager.io/cluster-issuer: letsencrypt-prod - gethomepage.dev/enabled: "true" + gethomepage.dev/enabled: "false" gethomepage.dev/name: "BitWarden" gethomepage.dev/description: "Password management" gethomepage.dev/group: "Security" @@ -35,7 +35,7 @@ service: smtp: host: smtp.office365.com - from: no-reply@forteapps.net + from: noreply@fortedigital.com fromName: "Forte Bitwarden Administrator" existingSecret: prod-db-creds username: From d3fac4d43ef06148e12252983491599b998daa2f Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 20:34:22 +0200 Subject: [PATCH 41/64] smtp port --- infra/values/upc-dev/vaultwarden-values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index ba2dd3a..e01a681 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -37,6 +37,8 @@ smtp: host: smtp.office365.com from: noreply@fortedigital.com fromName: "Forte Bitwarden Administrator" + port: 587 + debug: true existingSecret: prod-db-creds username: existingSecretKey: SMTP_USERNAME From b47b0035f5d29eb11413fd868214e42aa2446927 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 20:38:21 +0200 Subject: [PATCH 42/64] smtp auth --- infra/values/upc-dev/vaultwarden-values.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index e01a681..e973246 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -35,9 +35,11 @@ service: smtp: host: smtp.office365.com + security: starttls + port: 587 + authMechanism: "Login" from: noreply@fortedigital.com fromName: "Forte Bitwarden Administrator" - port: 587 debug: true existingSecret: prod-db-creds username: From 1a2817e53713641511a106cb4fc1fb8ddf7568af Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 20:42:17 +0200 Subject: [PATCH 43/64] domain fix --- docs/REFERENCE.md | 2 +- infra/values/upc-dev/vaultwarden-values.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md index 74d5568..52d43e5 100644 --- a/docs/REFERENCE.md +++ b/docs/REFERENCE.md @@ -1074,7 +1074,7 @@ dind: **Configuration**: ```yaml # infra/overlays/upc-dev/vaultwarden/ + infra/values/ -domain: "https://vaultwarden.forteapps.net" +domain: "https://bitwarden.forteapps.net" ingress: enabled: true diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index e973246..e772c9a 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -1,3 +1,4 @@ +domain: "https://bitwarden.forteapps.net" signupsAllowed: true resourceType: StatefulSet database: From 070799da05fb2b85bf1cb1e1855d3eb297463e2b Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 20:49:25 +0200 Subject: [PATCH 44/64] bitw --- infra/values/upc-dev/vaultwarden-values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index e772c9a..4187ba9 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -1,4 +1,4 @@ -domain: "https://bitwarden.forteapps.net" +domain: "https://bitw.forteapps.net" signupsAllowed: true resourceType: StatefulSet database: @@ -15,7 +15,7 @@ ingress: class: "traefik" tls: true tlsSecret: vaultwarden-tls - hostname: bitwarden.forteapps.net + hostname: bitw.forteapps.net additionalAnnotations: cert-manager.io/cluster-issuer: letsencrypt-prod gethomepage.dev/enabled: "false" @@ -23,7 +23,7 @@ ingress: gethomepage.dev/description: "Password management" gethomepage.dev/group: "Security" gethomepage.dev/icon: "bitwarden" - gethomepage.dev/href: "https://bitwarden.forteapps.net" + gethomepage.dev/href: "https://bitw.forteapps.net" replicas: 1 # Multi-Attach error for volume "pvc-102ec9a4-dccd-4cba-bb4b-650f7d934c81" Volume is already used by pod(s) vaultwarden-7f568875c7-m9cgs From 957757e557f3f75252dd1d1144cca026840fcd3b Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 20:51:44 +0200 Subject: [PATCH 45/64] host --- infra/values/upc-dev/vaultwarden-values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index 4187ba9..1032195 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -1,4 +1,4 @@ -domain: "https://bitw.forteapps.net" +domain: "https://vaultwarden.forteapps.net" signupsAllowed: true resourceType: StatefulSet database: @@ -15,7 +15,7 @@ ingress: class: "traefik" tls: true tlsSecret: vaultwarden-tls - hostname: bitw.forteapps.net + hostname: vaultwarden.forteapps.net additionalAnnotations: cert-manager.io/cluster-issuer: letsencrypt-prod gethomepage.dev/enabled: "false" @@ -23,7 +23,7 @@ ingress: gethomepage.dev/description: "Password management" gethomepage.dev/group: "Security" gethomepage.dev/icon: "bitwarden" - gethomepage.dev/href: "https://bitw.forteapps.net" + gethomepage.dev/href: "https://vaultwarden.forteapps.net" replicas: 1 # Multi-Attach error for volume "pvc-102ec9a4-dccd-4cba-bb4b-650f7d934c81" Volume is already used by pod(s) vaultwarden-7f568875c7-m9cgs From 2509ef062cf864a978041ca8e4fa359aac7894e9 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 20:58:00 +0200 Subject: [PATCH 46/64] domain restriction --- infra/values/upc-dev/vaultwarden-values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index 1032195..0b84a5a 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -1,5 +1,6 @@ domain: "https://vaultwarden.forteapps.net" signupsAllowed: true +signupDomains: "fortedigital.com" resourceType: StatefulSet database: type: postgresql From 693f2f9168610a80104b0c8033eb6d93614de15f Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 21:07:29 +0200 Subject: [PATCH 47/64] homepage --- infra/values/upc-dev/vaultwarden-values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index 0b84a5a..9d5d99c 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -19,7 +19,7 @@ ingress: hostname: vaultwarden.forteapps.net additionalAnnotations: cert-manager.io/cluster-issuer: letsencrypt-prod - gethomepage.dev/enabled: "false" + gethomepage.dev/enabled: "true" gethomepage.dev/name: "BitWarden" gethomepage.dev/description: "Password management" gethomepage.dev/group: "Security" From d7a0c261178a926013b4ed3d27c297f275c3cbdd Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 21:08:36 +0200 Subject: [PATCH 48/64] icon --- infra/values/upc-dev/vaultwarden-values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index 9d5d99c..b6eb06a 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -23,7 +23,7 @@ ingress: gethomepage.dev/name: "BitWarden" gethomepage.dev/description: "Password management" gethomepage.dev/group: "Security" - gethomepage.dev/icon: "bitwarden" + gethomepage.dev/icon: "vaultwarden" gethomepage.dev/href: "https://vaultwarden.forteapps.net" replicas: 1 From 2796e1b9d3d17972c258c4be2d212bf5154be05a Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 21:09:04 +0200 Subject: [PATCH 49/64] name --- infra/values/upc-dev/vaultwarden-values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index b6eb06a..e26c985 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -20,7 +20,7 @@ ingress: additionalAnnotations: cert-manager.io/cluster-issuer: letsencrypt-prod gethomepage.dev/enabled: "true" - gethomepage.dev/name: "BitWarden" + gethomepage.dev/name: "VaultWarden" gethomepage.dev/description: "Password management" gethomepage.dev/group: "Security" gethomepage.dev/icon: "vaultwarden" From d7bda18aeade7a40ba480f173711e42ca77a511c Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 21:11:17 +0200 Subject: [PATCH 50/64] domain --- infra/values/upc-dev/vaultwarden-values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index e26c985..698e462 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -1,6 +1,6 @@ domain: "https://vaultwarden.forteapps.net" signupsAllowed: true -signupDomains: "fortedigital.com" +signupDomains: "fortedigital.com,pm.me" resourceType: StatefulSet database: type: postgresql From c0710b89bb85623a1d1df96b7ad0a9823d3ae705 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 21:15:38 +0200 Subject: [PATCH 51/64] no signup --- infra/values/upc-dev/vaultwarden-values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index 698e462..4c1531d 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -1,5 +1,5 @@ domain: "https://vaultwarden.forteapps.net" -signupsAllowed: true +signupsAllowed: false signupDomains: "fortedigital.com,pm.me" resourceType: StatefulSet database: From 1124377d97f4798ec6dcbafcf842814fb0a1f075 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 21:29:14 +0200 Subject: [PATCH 52/64] adminToken --- .../resources/vaultwarden-db-secret-sealed.yaml | 11 ++++++----- infra/values/upc-dev/vaultwarden-values.yaml | 3 +++ 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml index 4b894ec..de4b5b0 100644 --- a/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml +++ b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml @@ -7,11 +7,12 @@ metadata: namespace: vaultwarden spec: encryptedData: - DATABASE_URL: AgAGXATvNGOtvF4Yf0QM4C4to0hs2XK53nRd1X3mnYQUYjZNRPT86L0WKGLnZv+rCAYEBYFFqryCjDQsesvM1hzrXlgmQREGYMbiBA144xKSPmlzL89LHH5q/TqE/Gm6kJEnIXLqQZuwi2d786PioI+LTYfJZDD54YkJc5V93CifJmYdXYSvikb09UwRdIxj1yfArrGGYzcSHCyfqlwpW6kX4Nc0aOyVRbcrzdcFL+WI9EW5EqoIQFuQ6M+q8YdzV6+C2rSHkmaL4gSWMAfcxo8c8k+hDPoh0cxSJ0/m5uYm09KMP/MOQnwori3u8//XEta6p//IiRpZcBm1h+yhJgtmoPswTRAlZc960AiW8caGcVW+ogP84r43he3GkwvrY/JCaf7NqkfUZHQXfpP6YKNSFxQFDjiogzor7pXkvMce5+JqKeDP6RUcviOoT3LXpKbT2nk4Ow/V/P13PBSK8SesS2ZRIUYWiaBtkryKCl5CLGOT59bevfnYsEWHBf+aPpt4FWLFFTCFCOCSUBMs4RUv7MZTAg/vAED3R9jmbGsTbXDsRRJq0+2t4ddE/wnAVJ4Y8/BAesWdGt+ctAo7f9mzp2CLaymPPgdMGNu4PZvc9hZcbelkFIMyjRKltekO5Rta8/zHJUC3iAs4KMkttIYb4bPyTghdCP+qwARsihgbGS+B4RGQXCu23w9ie2Wcv1VhzAfvg4MZwryLvzTzrEDIumCcTGPQiXjiZRl+aHIL46EIyY8Jh1Zj+4GwRyaPs+HfAXayh6UWmC4qOToPlZVw9saVjK4XmGNcgF5b7gz677qHhzOJH/vPO/uMld/yXTkvxeQtbjEk6Ss= - SMTP_PASSWORD: AgAtIr/FR46AO/UfvSt4PxK0yZpHGLSjKhXBU7vlH7MefzIJIKE8+fLB3S243W1gcU3izmE9igtiIwbf0ab7Kg3i2s3gbF9FJwFOFL+046Yds78RhwKahy7HhVi/0Gqq3+CRnNRc/c4N/aOSSH1mvNsPZwu1zqy3+EYAAtvN8IEO24abq9QNbb5iYvMlbHZuHKYbPJQycOZ/xn8ncJUeW63MmoygwmI3/C4vx2cnB+YUGJAJPqQtKY6rBZ4+r3fAyrPjB4aWQwZX0pGPuK1odVN32MWV/9dFe+Puhw5WIULIxffZXCNa5ba6UEUpwxH3k/iztaG5xFbfHMWmWfAjDuJE5VThpg5H5yLr6jZXnvx0GtbdGNvrDbC3H9ubinN/th8ucXOcXBbWGPKQ7EvLdrzjD/CPr3kaN+O6LWCeiw7wpnOGL2iUygmzZXCzp9TjAM7PjNHhoPml2cFu6f3iaz5rVmRAzUccx9WAK9/GmQ191pWmambw1Dg5aYiO8GhwJiXTB/vqt6ItQdr8eUi83y/8MNSDMbMBb6jfBp+NyULLURKrgpQckfna5sp4Af4AgjtYUTb2L/pmVpEP04DKYdFPkZaTsvUTniUIK5m+ijWwCqvwgSFmYa1kxY8aAyEKiTHNjXxzRwBDrRcUABEFGgf4dSE4wQTbAPzm7KxD3PIN+Wuwks1dGxuhf/d5xk/IeJePiNFp36JSey7E+JW78eYPmS/inUYiWm4tp+DaEiY4 - SMTP_USERNAME: AgBQOI1epWjDxmk3MfiNud7NbD9v0y6PZ1uwBLOKymRkbEDsXlFLSq4kwqydInWmI+rudRIE3IWyEhKl/iXpSDeVyejAWRxJuy9zrK9d1OewPw0UIMz1sRhG5Gc6JtTaZLyvXAXg67n6u+eTaPHUDpFJI7X1uE2+LqJJjXKV0mkQzOiagG0TYHHCcmK1uTG3vZPxMtGwVLW+HGHuntzS+IKDyaemgYl/TewITYlXMIrLZnaBDy+IGzk67t43MJcQcGJ9DQSrkNkm7XlpCJ7EjUJ+BqSlDZFfyXImRvutMO4aXolJY83PG/gFDwqe1as/E6DO8Hcg0XiKP281q6BxScrK1AfZ7qLZsIEYAVLW5Ni+BcV4EFDnnJxAUM4QB1WR9xzNyGxirtGOfbo9XcbxaY2TPHoiG3qzssRjksE8+nUDyz2JO57fAdmeU6jveIEeRzBLscrdSY0My4gyg15RLo+jySUqAOhvIMDAKAWy4I6t+J0y2N+H7xxmnXHI8+FW+gK77uCGjwCoJ8YtLpOHna7bNWVdKxesOEnKnioHPrPFrt9rueMioF04ioedOTtlYobJr66kprPgoLzNyiop5Mbd+4CJB4/o4QH1XGYMtuqHF1ZwUhCJ7KG3yav1ZI0dgBC+D2r9BKCkPTyMh4scQUj7ge+jtj/ANxsxHyvb+MhOzTQ8TEfJ2RN9SkuC4gU4tsFLC6LtH6JMwnTF9Qgzz+CPmzbJpXUifBVNhuWA - pgpassword: AgC2VJvvlC/I3ORt3lP5NPdcI/Rdj+sPrQnvn2Vq+0B5Y8RGXdifcV6Okr5b0Y5UmM696yaloIcLuOjTuAowJ1rxo1T1p/RbONNIZe2vOMoFpV3M5EeNY8roZYDVlcH9RbYRzQM6+jIGVSGbEi23LBlpYtA6BpRI8lh07UglUssgahV02ufjXuo0shd/P/W8zcaIXo75A+PqxsoSLJm8M/WHSWx4cm5T6Rrcm+OEN82nZK249hrOJO3um7EBnxov3Splrqzc+E/4r7e9P/FwseKMs7Zw/7UU7JFpwkHv20lTmjaxH2Vtf9EKqoAHVlMMqVErrZbHc6JZNzxe+p+7PPPNAx388FyGHVnr3nJZh+UW1rzRQ7fe9qBIKdlVlPjbeXb3WsqLgAAWyPhZdIiO+DNK0RUBkXXLc9v59yjMKLzeMmEGZ08CKTBQs2IUVSE7NJ+qNk9N5vtAtU5KvNLQXbNsW/0lfm1z/JQPDr1655vLYXCuSCUZGIgguV70kUl1CqEjgkHUFTAph0H5ioPzY12qMRdzVb0kNIM5xvR7UjgHBpgqgXm9AfK5OKVEJyuw0U0c2Yf8nw6JIysV0l5jFQcv5QYQfQaZ4lbECQ1NIYBR5UXwhTHrShtO2SqVKgRe/5St/D7M0izBvvj4nj5eJol8wM5n2iysL6RbCfBSS3/mHoCA2NokFMWUIicUErxnraO6kvElst35ytVU1/+7hv5oD8kQccy5yecJ18xKF3o0a7qx4Cf7Hmc/hvZHkg== - pgusername: AgC5bS26yRB4EJJGVbRD4RumKog5w4E+LNFTlJnIZ/2P1gT1+24fH7UG6aSjWEC+qyiwjhxPfgpRkI+T8yQX8ngbUY/4BI8NwqzHF5sHo8SmoVeYG4XHINNHS/uvQTjI6xlFmk4NXDqP3uY0Xi6xh8Q3UvuesfcNMcmGbnoX9rldJuM+JdV8UNIP7ah5fDpcxV3xTQJ6Iu7z3oTwy0rPDl4yVXTONR/dUwLkijlth873o6rx+tJyib7uRX9ZdUU0bMURGwpSvwFKeRLtFaO+a6WckgFgkc9MTtJaZDqOiCAdy/TZ5MmbUYUy0URp0cGdw4FgWu8w06U2uptER+R63EPzUB/uyyFFCyNANsJOCkv32eFta9AeUN89aG3ICikSeDSmev0Lupgi2bB54JqGUfe8Zd4RAMLYqkG101qJ9+jl7G4iD/kzTy/GYanqcB4+zppIR7AmxKbx9BLBq60wvzOlMCTRTeezLwT8NXnLa4WSNwLDs3q/nfKfOasI1hBpo0itOzTcmwWUFUMIux204dUWX3JUeKjeyeGgP7YfuJu5d3bvLiMwTU3WUBjajNs+JIwh5s4CAFhycg4KQSGpSog5Cjkk+QvkCQhwZivLjN3nQnBT3trS8dj9lrCXbw5uLLK/CmQsgqdMWNCbXo9BAfUO481HmQFCddc0uvm9o3gkH4beNYY1nPqkhrtIaJnYmgcEbYr2kPMO + DATABASE_URL: AgCbsrPQaqL9dB7oCcoRr/6LR039HjwVsENDhqesom3oFVmE3ZFHMqi+D4PmGZJRUYRtkxqIMIJl8hVSkd1cWdHuzHi6LY0UoCF2dSENaVZn1KDZtmC6ZbR2GWFCXVcVSUAKsd+L7D0vg8MrWNxVNMFJBVnqUqdc7M1YIfceI5Myg6Ee2Y20R3hVlD/DOemI6fRsK4YnmN9JA5+RGRT7Vp9w+a6sHYM8RWCrGvYU73RH5l3qxp9UVIRwCePQ4B5T3AT5wwSOnqKrqlV9ITMwMHOde0Rsqt3ijuMIhhsTggXp+U5r75Kpbf+yx25bfNkJP0PiUIb7wU+IglVCR2/RYEToCtLSDzs5yyTzKDzCLqg022WpiGKNHmfb8Xr7h0AwagdicPVQ1T38UPpDBJ1LQ7xjZfHxS5xBRkydR/G2sHU/KA/+8tZVHL7Q6wYGBAGCt2eqHE5BMCtsBvb0GhhXKCH4qdsqbLRKt6eTmCiKO0sxhoSGo7HtGKzCp/DVOm8sK+gubTCN4JO3qJvAxz8oRRCYhFNXUOkSGtKO89c7PUqZM2Ls9eY1qoPRWr4WJOR0XMSJ+hwVnHfYB8kA7HySQTDHw/WzKcnYVWnjLws02bgxGubmSLj1TMEl5o/Vf6xrNULd6J2Cw1Cj4cWKzJA8TmSlf2TSR0j1IxAGcnXZt73M1VFhuQPDtGgIAV3arR3+FzwzBPVzuS7QdiizqnSSb2m5XLotddgBbKzmDZUQaQBMyo2xCL9H4unuijcQcBR8czf1N1ZqpJOAHpZF0eHiS5UnuDrzdWKpTb8GwiU1TcMPPRmFhxQottgFGhIOOW8FBGQFDzQOwmdn5zU= + SMTP_PASSWORD: AgBWAckE1/zkLUutpGdmLxEa+6zumDjhf+s2kVQmBQB+DU6nyEwxVMgnDYzTdTZv4hELo8In5ZMKcGfZWtGosUft0B+ClR9UFn0OQZReXbGopO09lDHsboXrVB1qzVxXvjCse/WLJfeOBfYQ0OghqPlx3hTGxoAp0LNdaufxNiRtNFiKO15OpkxO2FcoyFGV2nQVYP2GLQjUbahFLOSXHNul/CtwtK60qGsj9BiYyHJRlENkrih07PgOUaya3ZX456wk2rj7EvVzsJM3xcNsK829ym/CQVpn8OWXmN1XEUSHoGxYghT6MUhPFy30psjU8G9Qxy/MKZH3aYo3maseumTaQYuJS62r/SgCIVG0fC2Omp408UAeVMHK8ZNIe2fuq4RYyivjsqtK/WVuawEu5NcITCg7jFM+36R6u2ZhrhR8XIIA8cYZtrCdp3lsFam1iqs9lkDwTvlUwQFQKCTlRRau9mretkkiEzrHJd811/Y/cAO2zi2etKGGmmVcaQvjfq/+ffAqnl0+5wNPxpOAVpN1QeaBnZ3pTC4mIrSSbimlO9/Ra0++1POZxomPMIA1b7pODZQD3QW+TGPJB/lhEAFiJjBbtlizRTaW0Ef/+UddR0x66euXyRriRPdv8cG/79k0r/+B4Ft3HYW2QwjSNLhBhLm00Vw60ERu+RV/Abd0HcZhVmPmv5HIlJS3U0qOxFYlErFNd6+uxxbLJPyhE7SzSGJ8vERSZy6ipW3Nu6E+ + SMTP_USERNAME: AgCx8eXVYgmxGg0LX8lNOwwUO1L8lqNl0Yzwol6d/5MSD8iVOdlGWhqUoBuj2XZXx0o6xyewtAf5WgodSRLVnW06RtCgQDq3RcEREf1gFUdY3T81HtYUtVToqiLH/NHBBkXsSwYQDMdXnrWONFn3F6lETtp/EBfV0Cd3cT5wt7MTKuMrC61AtI2vqw5NhwGvgGl44bUuiWsnuvvW1pC4UFRamJfUAibWM8lpwQen30CvpHQ+BzSbr9zgogp7Oz2rHd+v0TlL0wK5Y5G+jmafdPZm51rv9ZzDV6IrkPvHATRYtigdHmksw1gWwfygX3ea3Y9jDzQcOkM30589fimib4mKSrkrAiU0N3NFiucvAr4BvyX+aO5/rGhwoU6pX7obpdWxRyXMG6lowVYOLf5s7ED33NCrJXHiJKupiTDhfYJGrczo+ypMnx5VPCk62iVGH79qTnFEArVpCWjCG0ze0xh+86amWMKSNhl8LkHGG0UZLp4abiohnAYohySvwog7xyeBJIDGi2uwGwHZSZYkPnp8gk4CMUY9zW0bCUkBKxkx7xY2wkdVNOSKx4+ZkOgmkIwQfpBv4Dg0g0yByo0dzRJNaFgKBKPZKiU8213dD+ZazCOrWobDuq3/xgVkG3pnHccx+IT/5g2O8BsIvMiFZ6dtQMxQX52z5VV/qkzs82pbSq/5CEjCeuqUkTlnIdZaWVCYULtQHnC7x7wP7gRFFztReGW/gk39OQvN687D + adminToken: AgARYc1Hk21mENpbeJZ+j5VycfzHv7A6M67hr0eBMqRmWHgIXDV/RpPmWqR+C7Tmv0wkjNjatAUTPCSjN4p6M2YMdU3SUsPPYLaR9UEej+M2lToE7d/+bb+oc7s0UoyBi2M+IiTGYSL5oIghk1N0AJPp5aW4c7yFYu3lysVRy0ZBDsjbRav1PtHK0QMZUX3jsxnoLKIJt+hLcrs5SODHFPccQU4RM0gF31QBw5/1flvccaa4dwwZax9ZdzITygZkigRSVIbPcWiOTlTRx7khjyE3QHLil1ZQOvuBVKyjjvJffl0zeY+2Cx8iPXN8bF1MxYTRCaGzfEfMc1uaGiOBOO72kbMe4ehS26yZceMn2sjRDwZpiuhxgg2zvTeeh7NKI6Iq0pm2giAB6NQG46v1Hm0Fw5u8pScPPkYMRIPlFbt5c6OGg9Qmb+dcILzJZ9/jsWQs26LC093tVM4EA5uQoMMaMtZ569tQcP1Roxz+t+fKPu78EQH3d929QEEWS+Hb3yVmAjoFtKjOR8UXzeA4ZdL/m4iHtm01dt8/0ibgPHQkqMa+lhMbxV23L5EwL/3xDKBM11wF28LX7DcQ6l8Yv/tSHHo1MIXkwQEbV3uARc2jgRujHfzg10Q+GCFVE7Ud1p/Rc7fs8/n5HSN3WW+cyw6JlbzC7v0z4irWbETKoOjTQWvI6/qHK9OhRCPHeeupBfYAzZmb8MxlmhXmtqlMEQB5KzcgvSVk7Q/kysQCiQ== + pgpassword: AgCyneb7iaTWqaPEdt140cWGj3uzkryowGmL23CXY9MlRv4ikpJ3rktewm8wMfZl08RSKpI4+YTUoEepI6+uzKuDAmm7OQQmqOnPvXaXvf1dFi7eFHZdMCo9C+eFFET1g3Evloyut77k/P65eiC8Ayf714VydrvRtDtz12rbQwgz906z5kGvmDpEdS/yT130ACqSZfihNQ5VKAIZeUDVwX9r59fwjmmDga/rXDmaBGidtQM4xcUGu3dVvForctQQmDdqQBn0NSWYwvFvSDN1swnJPDjOXWZRoqySIGY4xwV0SeArnq5juuLt2Sm2G0gKJP7WrtqkwVMNer6vIbnS1mdiO25mTKfdLgcc1J8xEQ8JoRryfRApwQEkJiraPNXUyZejQ1jMSyvJms57qFV+L71gsKNvk1EyepqMFVYfb9mKEM2XmvdGqQv6WEta8i5szGTfZlWv6rSzBvS2/7bMqQd248wEoqyK/xeujSamTml6EN2sJUGzHKVfUhKmaXgGhLrwZKX2tKi/mkCBzPK4u+7tkTd5ZdY9NiHJe+h64WfltNG+Q0cDU95scEye3VYn/8KRHcLINZObSUgFtdJNeOsECVIFs7kWu06hDtshS9Y5Vi1XKhvfGg9Qfsk7zfNpzC1jqOu0PqNeVvC69QWANQBpv+95prhXRrGPnvCbxKwFdsJqp96dQOe9s2dLYorwed+ecNoiIUBrNl8yxPJa3MEALr+sKpdZcj7B45Il8uGRsFuZbq5mFMMKNhnl6g== + pgusername: AgA+aKvQr+v0VOw02hZ+mQ4+DVggh2zl4hQeAZw+8gNIJbKCffjjObK5nRIMtoDMkdLvT1VpqshlpLiTF3Bjtj061ih+g8ZU8HntiswHOIfeHmyEUag/qsNYFJBAFrgbkB5W8oHPnsOIe2Dn6QEau9SvJd8mZQYip8qarw42qofG6DQ58L4+VTgXbgCKoCtcFTebgu4SBQwqRZH0b8Xn52gu8JJ5n2V2PjHQ0U7ntu2oygfdHejy7hWOqXs7SjUXsnKb3cozV40sO5mjkWNKP2BB5wLPAGfrIuTbccT6+Qbk3Q7QphRi/abxRIWOlFUriVcHBtCc9Ezho1DJ3kRE9mvq1eLRkVaBXnY29yxOfcKDpncilKzyfIFPdSMwuLve9szU3WaOA7FUymnFdeRYPVQjeDSnx0b6Q9od/Eyb4sTJL1wCfn8ZI0QuV0/GVv0rUV8tlhqpfPiGwsR32R8fVoYJzkd8SYsv9q0eDeSyaEonqJgjvVMAx/Iwk2m8PMocXSctB9es4xgpVhpTw2s3qhVgOWBOjWaMVeuNHDaWB1U4/r3e2HmkdNBy2VCWwc9uwRe5WlqyseekE/K68BdkyY2+yAPXEEd2R9Ejl28aCm0F9A8ZqOyF40nVd3HfVmBKSeRKBlu/1iEvTonTfGMGK6Y769BbtMEanH6OqTGcy7p722bvctQGwQiJhzIj/LI0x0V2eIO2yJKa template: metadata: creationTimestamp: null diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index 4c1531d..e37e8d9 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -1,3 +1,6 @@ +adminToken: + existingSecret: "prod-db-creds" + existingSecretKey: "adminToken" domain: "https://vaultwarden.forteapps.net" signupsAllowed: false signupDomains: "fortedigital.com,pm.me" From fda90f9e01b6a9762e7f4ffec731020129441823 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 21:34:34 +0200 Subject: [PATCH 53/64] adminToken enc --- .../resources/vaultwarden-db-secret-sealed.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml index de4b5b0..3592873 100644 --- a/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml +++ b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml @@ -7,12 +7,12 @@ metadata: namespace: vaultwarden spec: encryptedData: - DATABASE_URL: AgCbsrPQaqL9dB7oCcoRr/6LR039HjwVsENDhqesom3oFVmE3ZFHMqi+D4PmGZJRUYRtkxqIMIJl8hVSkd1cWdHuzHi6LY0UoCF2dSENaVZn1KDZtmC6ZbR2GWFCXVcVSUAKsd+L7D0vg8MrWNxVNMFJBVnqUqdc7M1YIfceI5Myg6Ee2Y20R3hVlD/DOemI6fRsK4YnmN9JA5+RGRT7Vp9w+a6sHYM8RWCrGvYU73RH5l3qxp9UVIRwCePQ4B5T3AT5wwSOnqKrqlV9ITMwMHOde0Rsqt3ijuMIhhsTggXp+U5r75Kpbf+yx25bfNkJP0PiUIb7wU+IglVCR2/RYEToCtLSDzs5yyTzKDzCLqg022WpiGKNHmfb8Xr7h0AwagdicPVQ1T38UPpDBJ1LQ7xjZfHxS5xBRkydR/G2sHU/KA/+8tZVHL7Q6wYGBAGCt2eqHE5BMCtsBvb0GhhXKCH4qdsqbLRKt6eTmCiKO0sxhoSGo7HtGKzCp/DVOm8sK+gubTCN4JO3qJvAxz8oRRCYhFNXUOkSGtKO89c7PUqZM2Ls9eY1qoPRWr4WJOR0XMSJ+hwVnHfYB8kA7HySQTDHw/WzKcnYVWnjLws02bgxGubmSLj1TMEl5o/Vf6xrNULd6J2Cw1Cj4cWKzJA8TmSlf2TSR0j1IxAGcnXZt73M1VFhuQPDtGgIAV3arR3+FzwzBPVzuS7QdiizqnSSb2m5XLotddgBbKzmDZUQaQBMyo2xCL9H4unuijcQcBR8czf1N1ZqpJOAHpZF0eHiS5UnuDrzdWKpTb8GwiU1TcMPPRmFhxQottgFGhIOOW8FBGQFDzQOwmdn5zU= - SMTP_PASSWORD: AgBWAckE1/zkLUutpGdmLxEa+6zumDjhf+s2kVQmBQB+DU6nyEwxVMgnDYzTdTZv4hELo8In5ZMKcGfZWtGosUft0B+ClR9UFn0OQZReXbGopO09lDHsboXrVB1qzVxXvjCse/WLJfeOBfYQ0OghqPlx3hTGxoAp0LNdaufxNiRtNFiKO15OpkxO2FcoyFGV2nQVYP2GLQjUbahFLOSXHNul/CtwtK60qGsj9BiYyHJRlENkrih07PgOUaya3ZX456wk2rj7EvVzsJM3xcNsK829ym/CQVpn8OWXmN1XEUSHoGxYghT6MUhPFy30psjU8G9Qxy/MKZH3aYo3maseumTaQYuJS62r/SgCIVG0fC2Omp408UAeVMHK8ZNIe2fuq4RYyivjsqtK/WVuawEu5NcITCg7jFM+36R6u2ZhrhR8XIIA8cYZtrCdp3lsFam1iqs9lkDwTvlUwQFQKCTlRRau9mretkkiEzrHJd811/Y/cAO2zi2etKGGmmVcaQvjfq/+ffAqnl0+5wNPxpOAVpN1QeaBnZ3pTC4mIrSSbimlO9/Ra0++1POZxomPMIA1b7pODZQD3QW+TGPJB/lhEAFiJjBbtlizRTaW0Ef/+UddR0x66euXyRriRPdv8cG/79k0r/+B4Ft3HYW2QwjSNLhBhLm00Vw60ERu+RV/Abd0HcZhVmPmv5HIlJS3U0qOxFYlErFNd6+uxxbLJPyhE7SzSGJ8vERSZy6ipW3Nu6E+ - SMTP_USERNAME: AgCx8eXVYgmxGg0LX8lNOwwUO1L8lqNl0Yzwol6d/5MSD8iVOdlGWhqUoBuj2XZXx0o6xyewtAf5WgodSRLVnW06RtCgQDq3RcEREf1gFUdY3T81HtYUtVToqiLH/NHBBkXsSwYQDMdXnrWONFn3F6lETtp/EBfV0Cd3cT5wt7MTKuMrC61AtI2vqw5NhwGvgGl44bUuiWsnuvvW1pC4UFRamJfUAibWM8lpwQen30CvpHQ+BzSbr9zgogp7Oz2rHd+v0TlL0wK5Y5G+jmafdPZm51rv9ZzDV6IrkPvHATRYtigdHmksw1gWwfygX3ea3Y9jDzQcOkM30589fimib4mKSrkrAiU0N3NFiucvAr4BvyX+aO5/rGhwoU6pX7obpdWxRyXMG6lowVYOLf5s7ED33NCrJXHiJKupiTDhfYJGrczo+ypMnx5VPCk62iVGH79qTnFEArVpCWjCG0ze0xh+86amWMKSNhl8LkHGG0UZLp4abiohnAYohySvwog7xyeBJIDGi2uwGwHZSZYkPnp8gk4CMUY9zW0bCUkBKxkx7xY2wkdVNOSKx4+ZkOgmkIwQfpBv4Dg0g0yByo0dzRJNaFgKBKPZKiU8213dD+ZazCOrWobDuq3/xgVkG3pnHccx+IT/5g2O8BsIvMiFZ6dtQMxQX52z5VV/qkzs82pbSq/5CEjCeuqUkTlnIdZaWVCYULtQHnC7x7wP7gRFFztReGW/gk39OQvN687D - adminToken: AgARYc1Hk21mENpbeJZ+j5VycfzHv7A6M67hr0eBMqRmWHgIXDV/RpPmWqR+C7Tmv0wkjNjatAUTPCSjN4p6M2YMdU3SUsPPYLaR9UEej+M2lToE7d/+bb+oc7s0UoyBi2M+IiTGYSL5oIghk1N0AJPp5aW4c7yFYu3lysVRy0ZBDsjbRav1PtHK0QMZUX3jsxnoLKIJt+hLcrs5SODHFPccQU4RM0gF31QBw5/1flvccaa4dwwZax9ZdzITygZkigRSVIbPcWiOTlTRx7khjyE3QHLil1ZQOvuBVKyjjvJffl0zeY+2Cx8iPXN8bF1MxYTRCaGzfEfMc1uaGiOBOO72kbMe4ehS26yZceMn2sjRDwZpiuhxgg2zvTeeh7NKI6Iq0pm2giAB6NQG46v1Hm0Fw5u8pScPPkYMRIPlFbt5c6OGg9Qmb+dcILzJZ9/jsWQs26LC093tVM4EA5uQoMMaMtZ569tQcP1Roxz+t+fKPu78EQH3d929QEEWS+Hb3yVmAjoFtKjOR8UXzeA4ZdL/m4iHtm01dt8/0ibgPHQkqMa+lhMbxV23L5EwL/3xDKBM11wF28LX7DcQ6l8Yv/tSHHo1MIXkwQEbV3uARc2jgRujHfzg10Q+GCFVE7Ud1p/Rc7fs8/n5HSN3WW+cyw6JlbzC7v0z4irWbETKoOjTQWvI6/qHK9OhRCPHeeupBfYAzZmb8MxlmhXmtqlMEQB5KzcgvSVk7Q/kysQCiQ== - pgpassword: AgCyneb7iaTWqaPEdt140cWGj3uzkryowGmL23CXY9MlRv4ikpJ3rktewm8wMfZl08RSKpI4+YTUoEepI6+uzKuDAmm7OQQmqOnPvXaXvf1dFi7eFHZdMCo9C+eFFET1g3Evloyut77k/P65eiC8Ayf714VydrvRtDtz12rbQwgz906z5kGvmDpEdS/yT130ACqSZfihNQ5VKAIZeUDVwX9r59fwjmmDga/rXDmaBGidtQM4xcUGu3dVvForctQQmDdqQBn0NSWYwvFvSDN1swnJPDjOXWZRoqySIGY4xwV0SeArnq5juuLt2Sm2G0gKJP7WrtqkwVMNer6vIbnS1mdiO25mTKfdLgcc1J8xEQ8JoRryfRApwQEkJiraPNXUyZejQ1jMSyvJms57qFV+L71gsKNvk1EyepqMFVYfb9mKEM2XmvdGqQv6WEta8i5szGTfZlWv6rSzBvS2/7bMqQd248wEoqyK/xeujSamTml6EN2sJUGzHKVfUhKmaXgGhLrwZKX2tKi/mkCBzPK4u+7tkTd5ZdY9NiHJe+h64WfltNG+Q0cDU95scEye3VYn/8KRHcLINZObSUgFtdJNeOsECVIFs7kWu06hDtshS9Y5Vi1XKhvfGg9Qfsk7zfNpzC1jqOu0PqNeVvC69QWANQBpv+95prhXRrGPnvCbxKwFdsJqp96dQOe9s2dLYorwed+ecNoiIUBrNl8yxPJa3MEALr+sKpdZcj7B45Il8uGRsFuZbq5mFMMKNhnl6g== - pgusername: AgA+aKvQr+v0VOw02hZ+mQ4+DVggh2zl4hQeAZw+8gNIJbKCffjjObK5nRIMtoDMkdLvT1VpqshlpLiTF3Bjtj061ih+g8ZU8HntiswHOIfeHmyEUag/qsNYFJBAFrgbkB5W8oHPnsOIe2Dn6QEau9SvJd8mZQYip8qarw42qofG6DQ58L4+VTgXbgCKoCtcFTebgu4SBQwqRZH0b8Xn52gu8JJ5n2V2PjHQ0U7ntu2oygfdHejy7hWOqXs7SjUXsnKb3cozV40sO5mjkWNKP2BB5wLPAGfrIuTbccT6+Qbk3Q7QphRi/abxRIWOlFUriVcHBtCc9Ezho1DJ3kRE9mvq1eLRkVaBXnY29yxOfcKDpncilKzyfIFPdSMwuLve9szU3WaOA7FUymnFdeRYPVQjeDSnx0b6Q9od/Eyb4sTJL1wCfn8ZI0QuV0/GVv0rUV8tlhqpfPiGwsR32R8fVoYJzkd8SYsv9q0eDeSyaEonqJgjvVMAx/Iwk2m8PMocXSctB9es4xgpVhpTw2s3qhVgOWBOjWaMVeuNHDaWB1U4/r3e2HmkdNBy2VCWwc9uwRe5WlqyseekE/K68BdkyY2+yAPXEEd2R9Ejl28aCm0F9A8ZqOyF40nVd3HfVmBKSeRKBlu/1iEvTonTfGMGK6Y769BbtMEanH6OqTGcy7p722bvctQGwQiJhzIj/LI0x0V2eIO2yJKa + DATABASE_URL: AgAy1d//kBevUqZxB5KAXd+qxm8QykNxp5J1QP7Y30XCpE8hldPXF+NIx3w0B0PUyMAVsa+JrBmCMtzgibddIJqqF2upu/8EYxJZNusrJPOi47g3VcZIg1WyxoFfffH6jwhzv69TE/T8WGBXmWbD2vr+XWjE24Q+lgwLut0mocVfihUjpuYq0WDjgJx7pqLnY1VatTwgSkAv1uRRVqdi7e1M5isDNEpdItCbEoWwdvZhG5JIMAA/2vecY4/vEne3cg46lJAkv4ueZNATG6DOXGgQgz6h7zCKSGS1xTfGr+4A2V2/vSYpQ/r8Td37mlseoBvwN4H5O+FgHrVREm7N6aafDariYd+ZfqUIGObsZIXhxhDmAM96pjtP8ehYVwq1srWTU+SUewEmwLFWhVP1UFnTB5vgIuOWoKjHlS7dSUpStpw2u7/mQ6vhRhEaDqY6cNzJgM9hipQM/pt5an7z4ovWVeAeK8InGzKU+uxOpv/oxmi9N54B+5O4DVZC+BIbFXchxDvqivRcZrTK+CNjHjkk4We5MvN0qlhSuCYOGzEVaQ192yHciDoncw58D7fG4NicT2AcCJDVIwRGG05wqKal7g61g7Qg16oqdZIauKIU7ChSgBk7Xv33biZ4ZPe+JoSEmp9izJ8R7yyNO3KJgqH7iQ2UQzXDUqhfTr6w/oIdFST8sQtEIo7o1Z5JoXpzd4R1gVkcPWqtbbB22iRrDJsofeW+yvgGqyZLsWT2bKuDMLUn3GiqvaHaeQ9AbhNBnl6Qth3X8heBm2Zle1xxapFktisPwBQC7FDlukgvkiAOO7BywVI0+ITU4KLLOAftVqHmZ4fgDDqNFg8= + SMTP_PASSWORD: AgCbhM99+DbSTCcuxtcccOrZq99GjR51B5SkW6DNxz1jW2q4lgc6o21+gHEGGAamRDg/mWyu2UBBNgEzrW024558qP6SjVPwJclWhNZHyL4R4MCA0kv/kqNa43na2j3pq7kzT0MrqPAXD8IJrtYPxr+ngiuo7MCRef/TzEfwbwK+KgkeB1g+9ErwHWr5tU1B+3yAn5tfNeHmGFrLX230mra2ie+ntNx9kn80mb5TYoJ/mSaX7wv4bqZGEHkg7isXrMoMROXLBepCvP0zi3ta+SKJjHy73TvhKSzo7/ZHxapHw3oaazdpKJobeolWB7SziWsbXfT0gYYim3LrcieQeb7hhN3OAvSYx1Z/3UefEE1o3GFEzK1UV9ISwU/mBjMDZWyM7dK9lSbuPGvbpKU1jjP8qZWQP5v2SIT6Nb5TQgNeATdO3RkjoviqRzjJfpuu+oe5paXNeEIUSTskL7HuUjWj13DX1zDqQWTR1/Tb9ntxRtgIoAl2ymDsOednurnJeX71OJ3G++Oc8b5P2EkNQuEwaYb9raNHqZkCXeRpQVyEGIUh9sAGZUplUJSues/Jw25WuFoNBfMi/F022Mkvfnp/s0J+QrMIxSRvqiWS+7hODknvE3Zf2DI+DKClWxspfv084DAkOSV1Lq9fqNy/bKoJR/5MVHmxbW6teza6zXBnwn2nk+2DZ8IU20P15aVdtKR2zG9u8hnrqWrTQHTdvzb34WKjC0km4/MaIGKvboyw + SMTP_USERNAME: AgCijAuSvlGeMME1FyPXQdOTGKktyXfT8tjBK/ozt3X8O5hebFVvM61hNLDQTe9V/O/NLw6P1wbV4V+wtztqLs9TPDyq9L3D9JUEDjh97gWxVf7nFf8/d24F0PJoR8srKp3onb7+Rx02318RUp+gp7YsXbK6YBfkaOsoD08UgrFY3ARnP4eIirRICNCdouPgKkh038yAWcQDA20GBN2faJlQSejS4cr8WAa/ME1fRe40Q4tewgiX7hK5BWjt2eoovLrPzcHvbgTbfjwUWvmeiSicnF+VLrc3M56aKML2xuAggBk4vKtla/Af1pJfjv+Ut2z6VzECfIth12yQa6kIvKOE8aa3o/6oKLRJQRO8rQOOmLiInR+jQxrOmYw+OzkON07nBIeBon7nKYSIMiBt68kXKWJ9ZDexF7WGOHsFgUo4hA/z/c/Ccg6XHgxFt7uXZYLyziihQXy33zIsvu0rXOaczT5j3NJIhO60jz2Q8ig9JuWhd7+Dnd9EFMC0WJOM9kjpxeSjg4MYjH7VGnnEDF2GAQTlwDn5HwZJXRQFHfdCiHS5CCpfmak9MtIC9uoIsbPAnEhdTC20wDvIGlR5O4JGlQRyirKKmCdT1MJt8zi5d+EVQiicVZLGGD6nsqCNchvFYcx+glMYqWWsmyS6M+uVaYa/Fb/n+0QR6GNCF3Qi7voMJf2bFxFDk78fk76MG919XPQVAG/FPliNyWJJ7gEM+j/rDYuSrul14duV + adminToken: AgCVSgRK39WksTX6GogBvMZtPMd4XzMFkKSPhjTCm8pllzuc88pS2LXHxyGDWVLf+GZXRTCNrf5JLPst8/GTvOX17J9scRAjmhoyVVgzFNbcqGI/czLf9vH6JnhorMmUHxS+kWBm3oLZjhW3f/9vq0xzSbut87VDsyenaK4EcFLrYnfVRlMrwxL9oxPPTeB+Wah/uGoyLNfc7MMLK+/sUma4RO61VJ8YvmLUnwYNFosUcbF2B9hXMSzKKCJ+ihXYIdNIz2YWdMmj7a3D+Mor5x4jIjC+tunT4Zge5L1mx0i92KPgPkP48jKxayIZ/FxnYej+ggU6PmdYD1B6wgUbgLQV6ccwysjHce7ICvGWiM+PozFWI1qEVKqtNgp3kwInThD63Hyub9Euj0g/SE/nZcwy8DuIEhsLpLSdvxDT2lCps0VdXcb01kuta/3i4vgozSBvdIL1FrQKPLqF5+6ZEQ6BdZDkgxVqQ845WZoGbfqIyI03BMvsx/8HB5c+0Y0w0C6DRpEW55T9yRTZqzvqWUOpXy5/L2Nc9G4PCUK3lY0QPIFlPCBDl+cKgfP/XvKhMFcFpwp/Ssd0o+RhgOMBHJ5qk7RxAN1k2Y6Tkros39eUKWbM6UQ97LjrAdLcgJKX86ZkEChdeeKOnSxRmqHFXx5m4Wa6syixjipeQPwybCYQA9TgNBv0lToA7gi+lcVvXkoAgYIeB9Cp0j8UVEwdgvwWp8YgkpuWhPCAafhboH8qGhHhVfKADmlB05vUItZ0eoEVv7D9SqUTFueUmoZXwo67uyMLZhQo7eGr9+k8hiesCoEm11HCTa4DvF9zE54zgkyt0TMsKAEKmX47zJwnw76zidZC/K9e + pgpassword: AgCeQLwzajVBHW+o1ZSAcfbcJXny5K7UxxMfjud0j3hm9qx3TlLaFJrNoWd4XCuHAW1Ybl23ynWm+8kpXfZv95bXGkl0jZIm989MlAJQYKcaSTdhIM6Bkl3Cbr8kTVj2yrylGPJ96QISKNoiV7IetU82t8f21kxjyrNwt4lQEwWRFjW45jozb32qFXRkTioJ1WKaeJkyRSHWn7nLVitqZ4QjZzoN9AC7cUDOY/FffEiz7QRYSf6xaVPqQfCeH6QVtfmwtU5qNTcthOW0+/LQKpkg8i2nuoAsyOe7tsOYCENbDGkLckNTns2oPvDnH5eA8F5VDlnyJtROlwKjWfTC2zjazZynpA6cBH9XzX3Pg9P45G5HJ/4TVSUbTMCSVrbW8Ec+zdA2P4l3ytfVM2ER4N2/bQrUEVW2/ngDzhsKllmOPEN/M7b/VTed7U1xyJHsoT+AJEqVJO/vFBRxpI/ZacD+m5kWf3sp1SUWSgkUi+YWH8xuRurM2/kiUGwwUXu5ZMumjpMTkJBfX4NYRezq0DCsgaXdO2yI4xTfAysj78UikdU0PKyAXPcT8y55kJQ1jECszFauyeSYh0FpLu/XAmeB8dunlBqgISLszwnnman0/ThLeo96MFo6WPXoAeMTy8+GfTSH5tkmm8TVD7A+gRHprfFS66eY5Zi38OPU+VGRJS1J8yLSD2cNvCFR/sz1Br9VV7IySx1S+HvbEd7BwmdWrIoEcVUwIAD/U0Uxbw4sr7wLQ2wFQjDil4VItA== + pgusername: AgAcgel8GpdRVThE9i4EfFwcJYHEPnCyi4jHEaAltn4VMtub6hvhtH+ihxS97AhK6kgrTLEgtlfb07n1EZ3AK18A+ci9P5ulP0GgwMrMt1yxiHliqInvZPNb8vWC/2f2lZm7EFrBvYqMFRPV10YygtkW3Kku8h31l0xc2/DUKqZ2hMymIjx7hupabUOhnPJeF+IxVhTcsAa6SjhppX1ED0R/Im73pxTxbfLQETkHd5KcB4h6RLIPvuNiG5uftkPP8qjJqFIhNew+0IxMrsTzJbyLx90vqI6LHHtsrNDAsOHqWGnyZqIdkK+Bagm84VlpBfIdz8Fs0YqzBQaZts4+QXByzkcQZBDy11Hg9FCjdUVk3VgVLDQj+hL+aWTeJ0Iui4zW4LMSB0Dk0ZQeQa4BtwuDllky5GUA7sLmkbceAWymBNzNXSOeeAi1qfR6h6rNnh0x5yOnSN8soReNaCEYBSa8HjUamvuzu4yn+fKOJyI50QEJ7hKLXLaqyiNpa5bJw4FQvGM7qESkZW2BZLEvkq4mlKjzvSm891DozA44Zy1s/3CvytFsUtaWmquSvqqHWUxqEEemJ8zOCFXEYo1TjEfkYIUipM5KJ+PrpQGTgjdnL8FbAv3r3NG7DoucQtVeJJVeaBqOZcfEQw4Xz15grsdjggFunhmz+ZjWjgEwV4G/dCmeus3SBWJWLMOoPWCvBWrQZRQq9KVj template: metadata: creationTimestamp: null From 117297effc8abc0f5fc9ebcfe1f6d2ac8dbbb73e Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 21:47:59 +0200 Subject: [PATCH 54/64] sso vw --- docs/REFERENCE.md | 3 +++ .../vaultwarden/keycloak-client-config.yaml | 22 +++++++++++++++++++ .../upc-dev/vaultwarden/kustomization.yaml | 1 + infra/values/upc-dev/vaultwarden-values.yaml | 12 ++++++++++ 4 files changed, 38 insertions(+) create mode 100644 infra/overlays/upc-dev/vaultwarden/keycloak-client-config.yaml diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md index 52d43e5..04b3d23 100644 --- a/docs/REFERENCE.md +++ b/docs/REFERENCE.md @@ -1097,6 +1097,8 @@ storage: **TLS**: cert-manager auto-provisions Let's Encrypt certificate via `letsencrypt-prod` ClusterIssuer (same pattern as Gitea, Grafana, etc). +**SSO**: Keycloak OIDC via `forte` realm (client ID: `vaultwarden`). Self-service client config Secret (`keycloak-client-vaultwarden`) triggers registrar to create KC client and sync credentials to `vaultwarden-oidc-credentials`. PKCE enabled. + **Endpoints**: - Web UI: `https://bitwarden.forteapps.net` @@ -1104,6 +1106,7 @@ storage: **Secrets**: - `prod-db-creds` (SealedSecret) — PostgreSQL credentials (`pgusername`, `pgpassword`) + SMTP credentials +- `vaultwarden-oidc-credentials` (registrar-managed) — OIDC client ID + secret - `vaultwarden-tls` — auto-managed by cert-manager ### AI Code Review (ai-review) diff --git a/infra/overlays/upc-dev/vaultwarden/keycloak-client-config.yaml b/infra/overlays/upc-dev/vaultwarden/keycloak-client-config.yaml new file mode 100644 index 0000000..35ab8a0 --- /dev/null +++ b/infra/overlays/upc-dev/vaultwarden/keycloak-client-config.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Secret +metadata: + name: keycloak-client-vaultwarden + namespace: vaultwarden + labels: + keycloak.forteapps.net/client-config: "true" +stringData: + client.json: | + { + "clientId": "vaultwarden", + "name": "Vaultwarden", + "redirectUris": ["https://vaultwarden.forteapps.net/*"], + "webOrigins": ["https://vaultwarden.forteapps.net"], + "defaultClientScopes": ["openid", "email", "profile"], + "protocolMappers": [], + "secret": { + "namespace": "vaultwarden", + "name": "vaultwarden-oidc-credentials", + "keys": { "clientId": "client-id", "clientSecret": "client-secret" } + } + } diff --git a/infra/overlays/upc-dev/vaultwarden/kustomization.yaml b/infra/overlays/upc-dev/vaultwarden/kustomization.yaml index 65b394b..46b4f10 100644 --- a/infra/overlays/upc-dev/vaultwarden/kustomization.yaml +++ b/infra/overlays/upc-dev/vaultwarden/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - vaultwarden.yaml +- keycloak-client-config.yaml diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index e37e8d9..3b110b2 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -68,3 +68,15 @@ storage: path: /files keepPvc: true accessMode: "ReadWriteOnce" + +sso: + enabled: true + existingSecret: vaultwarden-oidc-credentials + authority: "https://id.forteapps.net/realms/forte" + scopes: "email profile" + pkce: true + signupsMatchEmail: true + clientId: + existingSecretKey: client-id + clientSecret: + existingSecretKey: client-secret From 2641d557848d7d6e31f8be229eb4510f7e0d30f6 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 21:53:36 +0200 Subject: [PATCH 55/64] scopes --- infra/overlays/upc-dev/vaultwarden/keycloak-client-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/infra/overlays/upc-dev/vaultwarden/keycloak-client-config.yaml b/infra/overlays/upc-dev/vaultwarden/keycloak-client-config.yaml index 35ab8a0..552f281 100644 --- a/infra/overlays/upc-dev/vaultwarden/keycloak-client-config.yaml +++ b/infra/overlays/upc-dev/vaultwarden/keycloak-client-config.yaml @@ -12,7 +12,6 @@ stringData: "name": "Vaultwarden", "redirectUris": ["https://vaultwarden.forteapps.net/*"], "webOrigins": ["https://vaultwarden.forteapps.net"], - "defaultClientScopes": ["openid", "email", "profile"], "protocolMappers": [], "secret": { "namespace": "vaultwarden", From 6bf7db21d02650ab1cd65ee5123b6f83a0ea6664 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 21:55:44 +0200 Subject: [PATCH 56/64] registrar error --- infra/values/base/keycloak-values.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/infra/values/base/keycloak-values.yaml b/infra/values/base/keycloak-values.yaml index c6745db..d7899fb 100644 --- a/infra/values/base/keycloak-values.yaml +++ b/infra/values/base/keycloak-values.yaml @@ -528,9 +528,8 @@ extraDeploy: publicClient: false, redirectUris: .redirectUris, webOrigins: .webOrigins, - defaultClientScopes: .defaultClientScopes, protocolMappers: (.protocolMappers // []) - }') + } | with_entries(select(.value != null))') # Check if client already exists EXISTING=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \ From f36996da11e77023e480475c5a94de227a0bf2cf Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 21:57:44 +0200 Subject: [PATCH 57/64] script fix --- infra/values/base/keycloak-values.yaml | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/infra/values/base/keycloak-values.yaml b/infra/values/base/keycloak-values.yaml index d7899fb..270c9be 100644 --- a/infra/values/base/keycloak-values.yaml +++ b/infra/values/base/keycloak-values.yaml @@ -532,39 +532,43 @@ extraDeploy: } | with_entries(select(.value != null))') # Check if client already exists - EXISTING=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \ - "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \ - | jq -r '.[0].id // empty') + EXISTING_RESPONSE=$(curl -s -H "Authorization: Bearer ${TOKEN}" \ + "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" || true) + EXISTING=$(echo "$EXISTING_RESPONSE" | jq -r '.[0].id // empty' 2>/dev/null || true) if [ -n "$EXISTING" ]; then echo " Updating existing Keycloak client (uuid: ${EXISTING})" - HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \ + RESPONSE=$(curl -s -w "\n%{http_code}" \ -H "Authorization: Bearer ${TOKEN}" \ -H "Content-Type: application/json" \ -X PUT -d "$KC_CLIENT" \ - "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${EXISTING}") + "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${EXISTING}" || true) + HTTP_CODE=$(echo "$RESPONSE" | tail -1) + RESPONSE_BODY=$(echo "$RESPONSE" | sed '$d') if [ "$HTTP_CODE" != "204" ] && [ "$HTTP_CODE" != "200" ]; then - echo " ERROR: Failed to update client '${CLIENT_ID}' (HTTP ${HTTP_CODE})" + echo " ERROR: Failed to update client '${CLIENT_ID}' (HTTP ${HTTP_CODE}): ${RESPONSE_BODY}" annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "error" continue fi CLIENT_UUID="$EXISTING" else echo " Creating new Keycloak client '${CLIENT_ID}'" - HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \ + RESPONSE=$(curl -s -w "\n%{http_code}" \ -H "Authorization: Bearer ${TOKEN}" \ -H "Content-Type: application/json" \ -X POST -d "$KC_CLIENT" \ - "${KEYCLOAK_URL}/admin/realms/${REALM}/clients") + "${KEYCLOAK_URL}/admin/realms/${REALM}/clients" || true) + HTTP_CODE=$(echo "$RESPONSE" | tail -1) + RESPONSE_BODY=$(echo "$RESPONSE" | sed '$d') if [ "$HTTP_CODE" != "201" ]; then - echo " ERROR: Failed to create client '${CLIENT_ID}' (HTTP ${HTTP_CODE})" + echo " ERROR: Failed to create client '${CLIENT_ID}' (HTTP ${HTTP_CODE}): ${RESPONSE_BODY}" annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "error" continue fi # Fetch the newly created client's UUID - CLIENT_UUID=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \ + CLIENT_UUID=$(curl -s -H "Authorization: Bearer ${TOKEN}" \ "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \ - | jq -r '.[0].id') + | jq -r '.[0].id' || true) fi # Sync credentials to target namespace From 3eca723f054056b96afd14940c84523610aea5be Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 22:05:02 +0200 Subject: [PATCH 58/64] diffs --- infra/base/keycloak/keycloak.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/infra/base/keycloak/keycloak.yaml b/infra/base/keycloak/keycloak.yaml index 937a243..96ebab5 100644 --- a/infra/base/keycloak/keycloak.yaml +++ b/infra/base/keycloak/keycloak.yaml @@ -43,10 +43,6 @@ spec: - ServerSideApply=true ignoreDifferences: - - group: batch - kind: CronJob - jsonPointers: - - /spec/jobTemplate/spec/template/spec/containers/0/args - group: apps kind: StatefulSet jsonPointers: From cf9eb47ecf0a9297545df175743616afe6dd46ea Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 22:08:56 +0200 Subject: [PATCH 59/64] script fix --- infra/values/base/keycloak-values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infra/values/base/keycloak-values.yaml b/infra/values/base/keycloak-values.yaml index 270c9be..c305055 100644 --- a/infra/values/base/keycloak-values.yaml +++ b/infra/values/base/keycloak-values.yaml @@ -505,10 +505,10 @@ extraDeploy: CRED_SECRET_KEY=$(echo "$CLIENT_JSON" | jq -r '.secret.keys.clientSecret // "client-secret"') # Check if credential Secret already exists in target namespace - CRED_EXISTS=$(curl -sf -o /dev/null -w "%{http_code}" \ + CRED_EXISTS=$(curl -s -o /dev/null -w "%{http_code}" \ --cacert "$CA_CERT" \ -H "Authorization: Bearer ${SA_TOKEN}" \ - "${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}") + "${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}" || echo "000") # Skip if hash matches and credential Secret exists if [ "$CONFIG_HASH" = "$EXISTING_HASH" ] && [ "$CRED_EXISTS" = "200" ]; then From d47dba2ae54fabfcb457cf327a25c75bad6c2c88 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 22:12:04 +0200 Subject: [PATCH 60/64] signups --- infra/values/upc-dev/vaultwarden-values.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index 3b110b2..9027341 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -3,7 +3,6 @@ adminToken: existingSecretKey: "adminToken" domain: "https://vaultwarden.forteapps.net" signupsAllowed: false -signupDomains: "fortedigital.com,pm.me" resourceType: StatefulSet database: type: postgresql From c49d03d7f79cbf7340eca3a39e55997dc4036a39 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Sat, 16 May 2026 23:04:11 +0200 Subject: [PATCH 61/64] onlySSO --- infra/values/upc-dev/vaultwarden-values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index 9027341..c53ba7f 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -73,6 +73,7 @@ sso: existingSecret: vaultwarden-oidc-credentials authority: "https://id.forteapps.net/realms/forte" scopes: "email profile" + onlySSO: true pkce: true signupsMatchEmail: true clientId: From 0582cd9917599f4434dbbf3a97acda16317f735c Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Wed, 27 May 2026 22:25:13 +0200 Subject: [PATCH 62/64] policy --- cluster-resources/policies/label-checker.yaml | 40 ------------------- 1 file changed, 40 deletions(-) delete mode 100644 cluster-resources/policies/label-checker.yaml diff --git a/cluster-resources/policies/label-checker.yaml b/cluster-resources/policies/label-checker.yaml deleted file mode 100644 index 129007a..0000000 --- a/cluster-resources/policies/label-checker.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-labels - annotations: - policies.kyverno.io/title: Require Labels - policies.kyverno.io/category: Best Practices - policies.kyverno.io/minversion: 1.6.0 - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod, Label - policies.kyverno.io/description: Define and use labels that identify semantic attributes of your application or Deployment. A common set of labels allows tools to work collaboratively, describing objects in a common manner that all tools can understand. The recommended labels describe applications in a way that can be queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value. -spec: - validationFailureAction: Audit - background: true - rules: - - name: check-for-labels - skipBackgroundRequests: true - exclude: - any: - - resources: - namespaces: - - kube-system - - istio-system - - argocd - - cert-manager - - monitoring - - secrets - - kyverno - match: - any: - - resources: - kinds: - - Pod - validate: - message: The label `app.kubernetes.io/name` is required. - allowExistingViolations: true - pattern: - metadata: - labels: - app.kubernetes.io/name: "?*" From 396c771f59790e0c4c77735f845a62d8ca915623 Mon Sep 17 00:00:00 2001 From: "jorgen.stensrud" Date: Thu, 28 May 2026 14:04:05 +0000 Subject: [PATCH 63/64] feat(homepage): list forte_drop in Apps (#16) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds forte_drop as an external service entry in the upc-dev Homepage portal. - Target host: https://drop.hackathon.forteapps.net (current Coolify deploy). - One-line addition under `services > Apps` in `infra/values/upc-dev/homepage-values.yaml`. - Will be retargeted to https://drop.forteapps.net once the K8s migration ships (spec in forte_drop repo: docs/superpowers/specs/2026-05-28-k8s-migration-design.md). Zero risk — pure metadata, no cluster mutation beyond Homepage refresh. Co-authored-by: Sten Reviewed-on: https://git.forteapps.net/Forte/launchpad/pulls/16 Reviewed-by: Danijel Simeunovic --- infra/values/upc-dev/homepage-values.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/infra/values/upc-dev/homepage-values.yaml b/infra/values/upc-dev/homepage-values.yaml index a622d68..ac71704 100644 --- a/infra/values/upc-dev/homepage-values.yaml +++ b/infra/values/upc-dev/homepage-values.yaml @@ -59,6 +59,10 @@ config: href: https://benken.hackathon.forteapps.net description: Teknisk kompetanse fra offentlige anbud icon: forte + - Forte Drop: + href: https://drop.hackathon.forteapps.net + description: Self-hosted HTML-drops + MCP for Claude + icon: forte - Forte Feedback: href: https://feedback.forteapps.net description: Fortes internal feedback app From 6e175e9e8caf7bacdfa34ae077f14a3f3bb6ec91 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Fri, 29 May 2026 15:20:51 +0200 Subject: [PATCH 64/64] docs --- devbox.json | 4 +++- docs/DEVELOPER-GUIDE.md | 38 ++++++++++++++++++++++++++++---------- docs/REFERENCE.md | 11 ++++++++++- 3 files changed, 41 insertions(+), 12 deletions(-) diff --git a/devbox.json b/devbox.json index ff78cb9..0f146ce 100644 --- a/devbox.json +++ b/devbox.json @@ -17,7 +17,9 @@ "claude-code@latest", "go@latest", "dotnet-sdk@latest", - "opentofu@1.11.6" + "opentofu@1.11.6", + "_1password@latest", + "github-cli@latest" ], "shell": { "init_hook": [ diff --git a/docs/DEVELOPER-GUIDE.md b/docs/DEVELOPER-GUIDE.md index 77e9465..739060d 100644 --- a/docs/DEVELOPER-GUIDE.md +++ b/docs/DEVELOPER-GUIDE.md @@ -1336,16 +1336,34 @@ stringData: | Field | Required | Description | |-------|----------|-------------| -| `clientId` | Yes | Keycloak client ID | -| `name` | Yes | Display name in Keycloak | -| `redirectUris` | Yes | Allowed redirect URIs | -| `webOrigins` | Yes | Allowed web origins (CORS) | -| `defaultClientScopes` | No | Scopes (default: `["openid", "email", "profile"]`) | -| `protocolMappers` | No | Custom claim mappers (default: `[]`) | -| `secret.namespace` | No | Namespace for the credential Secret (default: source namespace) | -| `secret.name` | No | Name of the credential Secret (default: `-oidc-credentials`) | -| `secret.keys.clientId` | No | Key name for client ID in credential Secret (default: `client-id`) | -| `secret.keys.clientSecret` | No | Key name for client secret in credential Secret (default: `client-secret`) | +| `clientId` | Yes | Keycloak client ID (must be unique in realm) | +| `name` | Yes | Display name in Keycloak UI | +| `redirectUris` | Yes | Allowed OAuth redirect URLs (supports wildcards like `/*`) | +| `webOrigins` | Yes | Allowed CORS origins | +| `defaultClientScopes` | No | OIDC scopes (default: `["openid", "email", "profile"]`) | +| `protocolMappers` | No | Custom claim mappers for tokens (see examples below) | +| `secret.namespace` | No | Target namespace for credentials (default: `source-namespace` annotation value) | +| `secret.name` | No | Credential Secret name (default: `-oidc-credentials`) | +| `secret.keys.clientId` | No | Key name for client ID (default: `client-id`) | +| `secret.keys.clientSecret` | No | Key name for client secret (default: `client-secret`) | + +**Protocol Mappers Example**: +```json +"protocolMappers": [ + { + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-group-membership-mapper", + "config": { + "claim.name": "groups", + "full.path": "false", + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + } +] +``` #### Step 2: Reference the Credential Secret diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md index 04b3d23..f0d1bc4 100644 --- a/docs/REFERENCE.md +++ b/docs/REFERENCE.md @@ -1242,9 +1242,18 @@ The realm uses a custom browser authentication flow (`browser-auto-idp`) that sk **Resources**: - `ServiceAccount`: `keycloak-client-registrar` (namespace: `keycloak`) -- `ClusterRole`: `keycloak-client-registrar` (secrets: get/list/create/update/patch; namespaces: get/list) +- `ClusterRole`: `keycloak-client-registrar` + - Secrets: `get`, `list`, `create`, `update`, `patch` + - Namespaces: `get`, `list` - `ClusterRoleBinding`: `keycloak-client-registrar` - `CronJob`: `keycloak-client-registrar` + - **Schedule**: `*/2 * * * *` (every 2 minutes) + - **Concurrency Policy**: `Forbid` (prevents concurrent runs) + - **Backoff Limit**: 3 retries per job + - **History**: 1 successful job, 3 failed jobs retained + - **Resources**: 50m CPU / 64Mi memory (requests), 200m CPU / 128Mi memory (limits) + +**Container**: Alpine 3.20 with `curl` and `jq` installed **Kyverno Policy**: `keycloak-client-config-cloner` — clones labeled Secrets from app namespaces to `keycloak` namespace (see [Kyverno Policies](#kyverno-policies))