From 708edd0fab0e18afef31690c5f3b60e919e8c9f0 Mon Sep 17 00:00:00 2001
From: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Date: Wed, 20 May 2026 18:49:58 +0200
Subject: [PATCH] ppusher v2

---
 infra/overlays/upc-dev/kustomization.yaml     |  1 -
 .../kustomization.yaml                        |  4 -
 .../passwordpusher-postgresql.yaml            | 46 -----------
 .../passwordpusher-db-secret-sealed.yaml      | 17 ----
 .../passwordpusher-smtp-secret-sealed.yaml    | 16 ----
 .../passwordpusher/passwordpusher.yaml        | 27 ++++---
 .../passwordpusher/resources/deployment.yaml  | 77 +++++++++++++++++++
 .../passwordpusher/resources/ingress.yaml     | 33 ++++++++
 .../resources/kustomization.yaml              |  3 +
 .../passwordpusher-db-secret-sealed.yaml      | 17 ++++
 .../passwordpusher-smtp-secret-sealed.yaml    | 16 ++++
 .../resources/postgresql.yaml                 |  0
 .../passwordpusher/resources/service.yaml     | 18 +++++
 infra/values/base/passwordpusher-values.yaml  |  7 --
 .../values/upc-dev/passwordpusher-values.yaml | 50 ------------
 15 files changed, 179 insertions(+), 153 deletions(-)
 delete mode 100644 infra/overlays/upc-dev/passwordpusher-postgresql/kustomization.yaml
 delete mode 100644 infra/overlays/upc-dev/passwordpusher-postgresql/passwordpusher-postgresql.yaml
 delete mode 100644 infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-db-secret-sealed.yaml
 delete mode 100644 infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-smtp-secret-sealed.yaml
 create mode 100644 infra/overlays/upc-dev/passwordpusher/resources/deployment.yaml
 create mode 100644 infra/overlays/upc-dev/passwordpusher/resources/ingress.yaml
 rename infra/overlays/upc-dev/{passwordpusher-postgresql => passwordpusher}/resources/kustomization.yaml (78%)
 create mode 100644 infra/overlays/upc-dev/passwordpusher/resources/passwordpusher-db-secret-sealed.yaml
 create mode 100644 infra/overlays/upc-dev/passwordpusher/resources/passwordpusher-smtp-secret-sealed.yaml
 rename infra/overlays/upc-dev/{passwordpusher-postgresql => passwordpusher}/resources/postgresql.yaml (100%)
 create mode 100644 infra/overlays/upc-dev/passwordpusher/resources/service.yaml
 delete mode 100644 infra/values/base/passwordpusher-values.yaml
 delete mode 100644 infra/values/upc-dev/passwordpusher-values.yaml

diff --git a/infra/overlays/upc-dev/kustomization.yaml b/infra/overlays/upc-dev/kustomization.yaml
index 289efcc..2bb4e10 100644
--- a/infra/overlays/upc-dev/kustomization.yaml
+++ b/infra/overlays/upc-dev/kustomization.yaml
@@ -4,7 +4,6 @@ resources:
 - ../../base
 - vaultwarden-postgresql
 - vaultwarden
-- passwordpusher-postgresql
 - passwordpusher
 
 # No patches needed — base already has "upc-dev" paths
diff --git a/infra/overlays/upc-dev/passwordpusher-postgresql/kustomization.yaml b/infra/overlays/upc-dev/passwordpusher-postgresql/kustomization.yaml
deleted file mode 100644
index 9734af9..0000000
--- a/infra/overlays/upc-dev/passwordpusher-postgresql/kustomization.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- passwordpusher-postgresql.yaml
diff --git a/infra/overlays/upc-dev/passwordpusher-postgresql/passwordpusher-postgresql.yaml b/infra/overlays/upc-dev/passwordpusher-postgresql/passwordpusher-postgresql.yaml
deleted file mode 100644
index 126f49e..0000000
--- a/infra/overlays/upc-dev/passwordpusher-postgresql/passwordpusher-postgresql.yaml
+++ /dev/null
@@ -1,46 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: passwordpusher
----
-
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: passwordpusher-postgresql
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "0"
-  labels:
-    app.kubernetes.io/name: passwordpusher-postgresql
-    app.kubernetes.io/part-of: security
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  source:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    path: infra/overlays/upc-dev/passwordpusher-postgresql/resources
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: passwordpusher
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true
-
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/volumeClaimTemplates
diff --git a/infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-db-secret-sealed.yaml b/infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-db-secret-sealed.yaml
deleted file mode 100644
index a761434..0000000
--- a/infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-db-secret-sealed.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: passwordpusher-db-creds
-  namespace: passwordpusher
-spec:
-  encryptedData:
-    DATABASE_URL: AgBeCVhdJoq18FFbP/8CUFFHBu3cUHisStmqeU3stH33qRgm0sh1Agw87QaiECBlKGp9yEjDVgQEjU/h9vEqs5L13vnzTvzmzEIMy23m1nWEyX6pY06O/ISDD6AVeW73SX6ctgZ4wabv8zZhEQ/GiKTLq8indTrNglINpItUKdjpZ5IhJWNScOkykZdIN/OyJxxzKQ5fM48ZVfL8HnTNQ+sqEJQ/P4CEHVwJQaEuIKsS+P1PKNmOxzI7IB7PegkZwORMKA83r1oufiV5q+/wY2eMujt/PkZxkokj9jdI9ATGwXfOVgPR16BXrKRIKO2AwObL1ter+Y0LnNGxl9gAz8q65b4KHdM//sKSscLo9rPWKq0R0y4octiC1FlQEvsbMZnNntDLR1vBiqRUz5YaoKcEH6nlLpubCrBpIve8f5Ty3w2YUk7k4dpQzITgZqpJirmw5RAY9OIQQldB8NHjfmKkTtlHxW1Bif/yo+XqCKX4+1xh4nbWb6z2VQtUeQHm++ITZokxAV5as/EEZyEfCfqLbQbQkk5xuPpc3B6VjyGNbAIyQQz3Ktx5t2bqa/qf2YQQTVMZaBijHV6jaK3YzyWyheefZAqliF3xUY8mm2zrOAK4+JaKbRKSQzvCzpYtcwxVO5hCV0Wki4qbMXCWbLV0SmUgiJeL/SC/iXSPBmdQIw2P8Pao1gPzhtJl/rGzdw+Nx0VtYeCID8PlsvjUO3oiv3wYFVE/Xb9oYkoQnadOrnBmUNoXATvPLb6bN/cxlZ6c5bDAReY5M5k4Im9XMWDUDiH/9bIk+V8C
-    pgpassword: AgBneCXX9h7cFbvVcqk9bNSgHqPGpYQmDxDHmI2CdgIPXwogVA/HxGpaR/HnByUwXbk9PBzHuNJHTWB5XtbEgd7EVvhmhNkEuW9cfBpO6RhSYWr4yQsEQ4tRIDicCMnCh3qWFxMJKPxhN4+gB+KY0HxVQXlr/TkPEnHGNILCrwJsSP9JYufYy5xcL25c949X6M2iSi1i8OFDOYC7s72VZmS2iAEIdnY01yDJ/pW5UYNi53rtAYWZ0tzRJbl55NdWeZGJdmKEQ0OvywW50So97R0ceC6QCkBzzRin4IP5dWuWbqm/D9FL4pxUfIvNuXbMd2fGbn1DjgqfeiN9QSfgLeHqMWbFAmelA/ETKGZBJJkp8MQta7PYk30yDo9cD147AnfLSjR74plGCZBFt0tn/8fGE00G70ymo1FPqWqnVMvlrnaWwdgdlKeKbamPWw0Uo6ZHcglFlHq5ke2kEhRG4yFvk8PuuUygHShGe7uQAlWcqLw4H4/WZyy/bBVTyUfmXTg0ArEKdbb7iI/izGgGMv2NtSiV9/DutkiqmrGoc+gO6fYGfUc66XJMpAlH/FUs3Ebqk0ZSIR4j8NyygwgY+1Jm3yuSQCs6+MVH5nrf1VoAYGadMiB40lfmn1FkZwrkdWm+C00/exVqT2dys+AjMfpAFfmGY2LDjSavvqJXKYyX1x/kZ6D+gndhP2FcT9qscnScGjys8JrH
-    pgusername: AgBUzpTtG8uIRRCjX3xN5UEvCybo2sgMk2v6SwoaO0TDVNMwZNKEjNigWeaD0nOX/gXu14X2KPX12YfXyaag+1CmaprUAVZzQDmF3Rseaz5MzqQnJlYfYdlWM4O+x0j2KLj+hKiw30P0T3IxZyngRw+T5c8hevYA2tXU0dvdmXZhs7L5M1mO1DJcef0tH/170RQ/8klUxaj/reWibK3DNxqCU/BOkJvUMoDkmb+hGlX4i4f0cPWEIYRjjXejDtL+LO7bMxzESqmb8VDPlDiIBvCYyBNdkN/F4ngfIAWxKBiMQTvsD8O7W3qdMDy55qHW3gPZY6ugLEyw/un6MtsaYSBame6kbjjEoy0pyyjB+SGWB6xxUIZ2Lfzflu8rZBnKEi2fkxsIAE71vhnLzcXn0WYjF3Hgh/fWQ6GYqJK9M5Ieiq6WVnWvztvWKuscZmVlHtRO9HtucCyiArvZE2yLRUDwI6NAws4R6gELadfjSECp1CRaOc53MrPHvYjIE/WWq1uI+0f0spaPV09mYEl5qGgcPW7V5ADXcmxIXHqtOfhEevrckILr9U9G/FU2q3ohveUiUUxBaMOzgAJ9mO64oDfLbit2WJqaqmdKy4xiVWwzxVDmWmNKFAs3DHNK7y9QNvYmrbM6370Pw2zsxc89yl0PvqCtzj57uUDh3ohNE3ZrTUHWsHkEniKiSCVRZD5LG9dEJKMD1nE=
-  template:
-    metadata:
-      creationTimestamp: null
-      name: passwordpusher-db-creds
-      namespace: passwordpusher
diff --git a/infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-smtp-secret-sealed.yaml b/infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-smtp-secret-sealed.yaml
deleted file mode 100644
index 80c6b67..0000000
--- a/infra/overlays/upc-dev/passwordpusher-postgresql/resources/passwordpusher-smtp-secret-sealed.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: passwordpusher-smtp-creds
-  namespace: passwordpusher
-spec:
-  encryptedData:
-    PWP__MAIL_SMTP_PASSWORD: AgBgRYGOS6O5u6WDXxfqkLsVClufJe8O0K3/NBWKEnwKFKd/yeQVnkB/sd2apIFADK6auge+G5uFv9TejWJuqkU3QHbkvmnjnMtinRkt/lh0GrrCygmvzvwTQKCXefeqWHT5yvGtN0z6mLP73yOLoJmAMnZk9/QGHuw9jfuLEDREZ3cSrdYAAIWhospSPpvau2UNN2/yanjhmH0Yux2fZVkwKtDcS6YHFtL+s4VR7wcB/cvMaCX4vSezMtyQJhgHcmFLNHnNjjVdMEQVGMtrZ7XocbWJ0ZkvKotkuOFf/XMq5AM9ZVgaJB9di39JLweqpsfGVQJftgGW/f/edDSlbiOTjDO2cM93xY9OD9T2kts5MkeX1jLD+Q+V0OXL7+nor1jAfv/CwZ5sBibnQFKYaQpCRCw4c4pYX73VjbRsEcTHXJyfUpTJdlw8Jd3yPPL1Uqb6ga5xxUO7YsgfdH4HZYWuLR/x8Pk1Ne/qpctzHZcUkRto6MKPhkK1IW83qSJPGT3wNHgYcx6uMW9f9L/ox7k00GGWZ3Pj79khv9NJ8PXO0thsTuZktjskHYBmZk044CWpSiill0318pCaIXW6mpg5adGbeZLa+LZ9GNxMWP+iOJIcFyYNZs3GmlV08OQ741S2cbumOQhxppJkcWTdpkZrZlAanLa4XZsmW+PXmsujOsMLEuto3PpJxpujYAt3s6Nv7O79FlGqrfisRipdFw==
-    PWP__MAIL_SMTP_USER_NAME: AgAli4SWEtNSiuRvbhuAYdRtBPpPYQfVp1cjiPXUqX7CxBG6bOdlMFzUPnjmZ3RVDq8UaRbwF1eJisnLt1nRCh5+DzpOXNgiU8ex2uZx7mQPf/nr/5p1HwJHbMZUo6Qieqo8NIwA0fwapQPsLizI90wI2J8f4m4nk4SXb0FW0h23SpulEJV99w92TPdOd/KuovVzEFltWeCWOsaHdVufKDsKLMFc4SNrkBwYxaCkuGnM6zICiLc7+5lF7cza8JukfGXsF12U04CkqgMDOOQG4GNNIeGSOc2GGtngpmYbuKZA1vk8ZnG3K+nVyD12bW2JhvWOBpNSc+29gLbizkNGI8QLhlxet3HznjYal9aqiIR2/glZgIUsnmgwmVg+VpxnM6A/R47sljeIzyzY0dkVxDyG1fDfKiWmXIWQU/7750Ct8XgMsVIkyDGQAK2g8o97a75lSnTngGq88VvTBLCiSEgumhPrMYf4n7ot4tSM1lfGuxmYdrOKXqXNkhBF+jxe27pd4ayCzcXniibZKRqhCozZZkAoYoo+V8tnIlewrTJhzm9THgKL849Df3Va9tI7EOvqHy82FjwTL++jCpUrOe1Emp11WpUJElnn+PUWRJnW02Xz+a0vP+mJMjC1XsylDM78i31a6Tw8Rfu7W4G7yuwzgU9GDCDL6dt7nsGUSNuucZz7CVx2pePFLWJBC8DmcuuWh/UlnrNp8IY/9kC34DAbwuBTQuFhYne1xWSA
-  template:
-    metadata:
-      creationTimestamp: null
-      name: passwordpusher-smtp-creds
-      namespace: passwordpusher
diff --git a/infra/overlays/upc-dev/passwordpusher/passwordpusher.yaml b/infra/overlays/upc-dev/passwordpusher/passwordpusher.yaml
index 89a24be..67d7db2 100644
--- a/infra/overlays/upc-dev/passwordpusher/passwordpusher.yaml
+++ b/infra/overlays/upc-dev/passwordpusher/passwordpusher.yaml
@@ -1,3 +1,9 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: passwordpusher
+---
+
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -14,19 +20,10 @@ metadata:
 spec:
   project: default
 
-  sources:
-  - repoURL: https://pglombardo.github.io/passwordpusher-charts
-    chart: password-pusher
-    targetRevision: "1.4.4"
-    helm:
-      releaseName: passwordpusher
-      valueFiles:
-      - $values/infra/values/base/passwordpusher-values.yaml
-      - $values/infra/values/upc-dev/passwordpusher-values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
     targetRevision: HEAD
-    ref: values
+    path: infra/overlays/upc-dev/passwordpusher/resources
 
   destination:
     server: https://kubernetes.default.svc
@@ -41,3 +38,9 @@ spec:
     - CreateNamespace=true
     - Validate=true
     - ServerSideApply=true
+
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates
diff --git a/infra/overlays/upc-dev/passwordpusher/resources/deployment.yaml b/infra/overlays/upc-dev/passwordpusher/resources/deployment.yaml
new file mode 100644
index 0000000..884767c
--- /dev/null
+++ b/infra/overlays/upc-dev/passwordpusher/resources/deployment.yaml
@@ -0,0 +1,77 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: passwordpusher
+  namespace: passwordpusher
+  labels:
+    app.kubernetes.io/name: passwordpusher
+    app.kubernetes.io/instance: passwordpusher
+    app.kubernetes.io/component: app
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: passwordpusher
+      app.kubernetes.io/instance: passwordpusher
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: passwordpusher
+        app.kubernetes.io/instance: passwordpusher
+        app.kubernetes.io/component: app
+    spec:
+      containers:
+      - name: passwordpusher
+        image: docker.io/pglombardo/pwpush:release-1.51.0
+        ports:
+        - name: http
+          containerPort: 5100
+        env:
+        - name: PWP__HOST_DOMAIN
+          value: pwpush.forteapps.net
+        - name: PWP__HOST_PROTOCOL
+          value: https
+        - name: PWP__ENABLE_LOGINS
+          value: "true"
+        - name: PWP__ALLOW_ANONYMOUS
+          value: "false"
+        - name: PWP__SIGNUPS_ENABLED
+          value: "false"
+        - name: PWP__MAIL_RAISE_DELIVERY_ERRORS
+          value: "false"
+        - name: PWP__MAIL_SMTP_ADDRESS
+          value: smtp.office365.com
+        - name: PWP__MAIL_SMTP_PORT
+          value: "587"
+        - name: PWP__MAIL_SMTP_AUTHENTICATION
+          value: login
+        - name: PWP__MAIL_SMTP_STARTTLS
+          value: "true"
+        - name: PWP__MAIL_SMTP_DOMAIN
+          value: fortedigital.com
+        - name: PWP__MAIL_SENDER
+          value: noreply@fortedigital.com
+        envFrom:
+        - secretRef:
+            name: passwordpusher-db-creds
+        - secretRef:
+            name: passwordpusher-smtp-creds
+        livenessProbe:
+          httpGet:
+            path: /
+            port: http
+          initialDelaySeconds: 30
+          periodSeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /
+            port: http
+          initialDelaySeconds: 10
+          periodSeconds: 5
+        resources:
+          requests:
+            cpu: 100m
+            memory: 256Mi
+          limits:
+            cpu: 500m
+            memory: 512Mi
diff --git a/infra/overlays/upc-dev/passwordpusher/resources/ingress.yaml b/infra/overlays/upc-dev/passwordpusher/resources/ingress.yaml
new file mode 100644
index 0000000..b9c8275
--- /dev/null
+++ b/infra/overlays/upc-dev/passwordpusher/resources/ingress.yaml
@@ -0,0 +1,33 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: passwordpusher
+  namespace: passwordpusher
+  labels:
+    app.kubernetes.io/name: passwordpusher
+    app.kubernetes.io/instance: passwordpusher
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    gethomepage.dev/enabled: "true"
+    gethomepage.dev/name: "PasswordPusher"
+    gethomepage.dev/description: "Share passwords securely with expiring links"
+    gethomepage.dev/group: "Security"
+    gethomepage.dev/icon: "passwordpusher"
+    gethomepage.dev/href: "https://pwpush.forteapps.net"
+spec:
+  ingressClassName: traefik
+  tls:
+  - secretName: passwordpusher-tls
+    hosts:
+    - pwpush.forteapps.net
+  rules:
+  - host: pwpush.forteapps.net
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: passwordpusher
+            port:
+              name: http
diff --git a/infra/overlays/upc-dev/passwordpusher-postgresql/resources/kustomization.yaml b/infra/overlays/upc-dev/passwordpusher/resources/kustomization.yaml
similarity index 78%
rename from infra/overlays/upc-dev/passwordpusher-postgresql/resources/kustomization.yaml
rename to infra/overlays/upc-dev/passwordpusher/resources/kustomization.yaml
index ff9e89d..3a4b64a 100644
--- a/infra/overlays/upc-dev/passwordpusher-postgresql/resources/kustomization.yaml
+++ b/infra/overlays/upc-dev/passwordpusher/resources/kustomization.yaml
@@ -2,5 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - postgresql.yaml
+- deployment.yaml
+- service.yaml
+- ingress.yaml
 - passwordpusher-db-secret-sealed.yaml
 - passwordpusher-smtp-secret-sealed.yaml
diff --git a/infra/overlays/upc-dev/passwordpusher/resources/passwordpusher-db-secret-sealed.yaml b/infra/overlays/upc-dev/passwordpusher/resources/passwordpusher-db-secret-sealed.yaml
new file mode 100644
index 0000000..9407412
--- /dev/null
+++ b/infra/overlays/upc-dev/passwordpusher/resources/passwordpusher-db-secret-sealed.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: passwordpusher-db-creds
+  namespace: passwordpusher
+spec:
+  encryptedData:
+    DATABASE_URL: AgBzQyFkhTceQqpUN528xXnxf/P0veuO8I74wSOEuY2qThascssUhNnYmYXpIEwSpwYasEz1WksNQLR1IXBgrl/2FPUF4TOR/CvmF60zToXTp2mxCw4EBynXcsWDzQteTEL7DMmoGs4YdGqn/T2c8CQ873z1lgDEgZXDreZnL3bnQtbyyBvwK0xvhsPYsEhT490t0D0r0lfPmW1GoWkHRsPjGPJUZONrmULVW3unlqUGqO9t6A9XU5NasiEGwgfjToZo/bK4FpQOrGnI/N5PNp22zbZ6u+j9rKMkn6IFrbY3uTNdrDxu8I7OnrDD2DYMbDoFDj8W8Gt/VlLk1OK+gL4rf6U6SYKJMsJ1FyleuGHjY8aw1Xcgkwe7XwE/YjI7AEDCbH04HFb6MTHKcc/kNOoBpevhAWNtpXlTl10rRLsfEa3SVefN957R/bdTNshlNq1g0fXK5wSsDk1I4xWo8j17iHuVMXiRHcybapK849IWCxhUZBPE/OdN47LQ98AmNMolgpt7UGKkvb77MG1MS7QsaNfXkqnhZ0Gp2v6LL/UWhg72EdLozECA981XMdCRd5H36LYANtq5BeMgRw54uwfTw551SeP8+SCx/NBjaaHQCMHVHK9WhvjDD9iLWIRGNiPZxt4DP7oC3ERhB6L4aNir+pmS6xmdYAs85mYDbbNCfNjdRu6OyQPOwQI8Yr+LnF/NHpOuNOpIfsjcRwvkVrUD2qL4GnFk2a9jVw5EuTGdDA+Sw3a22SwiFj48GXsKJeanAqc7HrI+Cgsav99gdKB5IFH+AeN+4KX0
+    pgpassword: AgDB0+q0JPVtkiGkrJt2nQjdTYX1qELDwNiTbJ5lYrRdpnulC0jah3rpuZ+P3DjwTqL6ki+anG/bxTApMRnUSXE1yOL241yLtIAvmg3MuNl5lJnxzA+hlsdNYQ5O6tCCCAyMw4hwsinYF5elJF7jsdFt2YC5CIDodx3STjWksysEAkXihhsBlWcuGq6WAh5jwTjV8auUt2NgfN58OefVT2/sx680OAMuVCja71HkoFJaNKR+rVC0yTzMk80D2lx1fKD+awWYiUKB0/dfTUuIfmtq23ndhX6ZmUYJITiwom6xt86ta9uM5qD3DGExJK1qkl8O7EE6spDxNKRkk/DLsTtbpJ4a2a+QhM6YMbtGR9//4zvgCrncncWkoHhJ/rvt5oA8Vc2fDDn1OMYQLya0g/xJGxyxLIthAEC4rMgy24uPEHAKEzc2ScXyOUzB31vCOxQq6HEgWMAZgZr8oBOc1o7E6L6jsZR+l7aw7Zmi/B7K4OpfCMHyTDFPJxjL2FAfEyRls0/sLt3IkNttc6iFZPPg7NU/AoyHj4Ex6fbV1oEQAlFoNy6dDUxMPhwVaaHRce+aCOPn4Cv29IbVeaVaA74cJ2oi2HIu+nZEDdY1CkrYdXb2PAnZOYPTcGuUJU/kyIIT0XUAe7dUA+/02aE6vzpIyVQu2Lu2Vn1H5GOrIzaMZjtP0DVHNpmnG+6+V7ADayFOEKdjxBK5
+    pgusername: AgDIB/14c4lIs8OBYlE4/EbKyK931xyhCxFbAdupmuwDpNBED9ilCAaAf18PLd8lKfqI5950/TVIsV3sjJ/2Alcg+4niA29tQTVwpHiMOOr4XOXGyNkePpvVyrcmczOZGBdQ5+GJ8LOdN8jLD+ptB/JS7RxtTTDpZCjFiigcHLEibCMtRY4+0+m0FuQ63d7xcNs/P3Q2TZFBz+uXvv+Y19HNA2G9MojxgZzYPgq6MeWkcW046NY9IjeczyK7O3j0iHzCiciW2rtqzagpc7pp+0eyoi4ZS2F5Bc4JICvxEfdDWR8zIwSKScrXJ/N3q7SfIFDWDUO7Gl+9VxvD7MrRnKcRPeEwRmQTT/Ihey1QlGh+2C+/7pNNdSRfWQHt6p69XPX3gzYHimC9yyHgYyUAfbI2dV2ZxX4i1+79ab1MHe9ZbRH7xRX3B9ehXBXwAyvfUX/2bHAFfb05iaTVXgHLeEHlybKcufQKFx08k/qEkb0HK5VBT9nYUGm31rHZ16dMR4/lFNzfBUuxJuuID41jkZXApeGaWAHVi5g313VNJNjjx+quAATGrm0HOBwKZn4DHtrOJLmIw0e02rwe9ALqgIZCi6E24uha3OVCdSpWbzpyoU2npp+ZQ33GXtn2hSq2tf3voZo63iYBwKxxWc6udjUI4BmO+qktMgssjqoSkqDlDNKaiQn+jiboPPnGVTz+xOxO81IflIo=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: passwordpusher-db-creds
+      namespace: passwordpusher
diff --git a/infra/overlays/upc-dev/passwordpusher/resources/passwordpusher-smtp-secret-sealed.yaml b/infra/overlays/upc-dev/passwordpusher/resources/passwordpusher-smtp-secret-sealed.yaml
new file mode 100644
index 0000000..68989b8
--- /dev/null
+++ b/infra/overlays/upc-dev/passwordpusher/resources/passwordpusher-smtp-secret-sealed.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: passwordpusher-smtp-creds
+  namespace: passwordpusher
+spec:
+  encryptedData:
+    PWP__MAIL_SMTP_PASSWORD: AgATJPqOStlRHlXtks4vLFszs/s3//oRDLR9vtzMY1leQv4Dj+kj4YeA0t/oOWVnl1dATW//tesBQ+CYaDrpKhVMzFXcE2NHchJ9X9iUqerR55zxByNmlI417AIEhnT/mcGzqBCfVZ83Vuq2j0FsDYFfwrjKeOIVZ0MYgFP2ewA4A6FpttFS2a9V5Af3b7GmIzGCcyxbppNPkzk83pisTnH+MlzrAC6qu7O/9QYWRIoqnccZOXqPzCSink96sQofXfdbzAf4ExSGwbsHI1/MUX0WO7QsNo8xyEG+q3TRQ3VXYyCOyrOZ9DgJ60/wHZQ+lhdeV1wNtYhXS/5Zx5NuQ9xo4qjFA395Ke6YQvwoN9tIka3InzoP5j7gi2hrn09jhghwnDIGvF1rsu9SX45GCefnHB+pbpbTWi7PoX2hZSYEpfZQGSRzfdvRM6roc1AFHZujNez4fnKJYWM3+0SzwgURvaKOU3hfOeW1qD7sHozuzeeXzIey7LyPx3j06jWxW+mNYErJr2IqG9Y7VXyzvCvammFa4S8/W2yi1d1x5Cy44GG0edf3jq6Q6UgzuKc0Sl0ReBRFYg+aiftREv9SGjKPnqWA9bh6ja+Wbc2lTkb8TmKFHuYitRujNynUIZVziScl6B7t81WkZtTuqchH9NqNdE++C3S4xBePlWZ/1sxFj2jKnfuLTsUVRd+N0zEOXgYl/GTMqtzQ2EqamnN10w==
+    PWP__MAIL_SMTP_USER_NAME: AgCd/qHbD0HqewPZsI2gjT9/l5iGb78Q0PCW9fCAt+GkcpvHBkp+eKAwFdglg+A4PJYgbUvb0wFzflnJluxbwdnNRY2kGzYhjCqFsE8TxrqZ+OvEpFy141rUtjYC8HMtT+l+l3JKoo/pkoJNilbFUEi/xK+/R5/hXqngHYvyrh+2T8xRrmlQaG845E3ESTc9ht7TkmQ/9fyrlAIisSNAvYqGnYfjzI2syswwYeRWDLL6/UL2DUaEmf0g6qheM570M8OADae+z/vQWZteC2a+tAdHTZ3w1G/diOkwC5dr95PFS2vW7jVbuE2CmNJ1a08EFJNKT3U+8d0RwGg765KA4RysQ5ygJOa/eBIaTC+QHnMxVMOih222drhphZUSkCPxkxl5NffLeuCubMfstBKRI77iORdIEG1Sqr03/ryAwIuCqXOcBuhDDGlEFG3x3dmW5kR3ADzwaXikNaU7VvRcHjeD9fDbVavqbJvBpevK84cJJ1JpM6nEl2iVXqp5eVR4W9FBgQy0M70sIENuSoxlPTUw1cfgpFuMApT1F53krbBRzOxxOjUqIrod81SYpB8POs5K9SeKVAwvp4MyN7pMDoYl5RMQw4s8+shKeLqZoKO/MfTyD1fpBmvMJiJLQudBi19AgnJj3/JVq2TCZ27/JBV3C1ua37JNdY3T2xwPreHGV5XlzxYPMDQe2WvzkGuJY66NwwIH5Iu46IubIzLfp/cxq/fstS3K8pDJXOOF
+  template:
+    metadata:
+      creationTimestamp: null
+      name: passwordpusher-smtp-creds
+      namespace: passwordpusher
diff --git a/infra/overlays/upc-dev/passwordpusher-postgresql/resources/postgresql.yaml b/infra/overlays/upc-dev/passwordpusher/resources/postgresql.yaml
similarity index 100%
rename from infra/overlays/upc-dev/passwordpusher-postgresql/resources/postgresql.yaml
rename to infra/overlays/upc-dev/passwordpusher/resources/postgresql.yaml
diff --git a/infra/overlays/upc-dev/passwordpusher/resources/service.yaml b/infra/overlays/upc-dev/passwordpusher/resources/service.yaml
new file mode 100644
index 0000000..fe9bac9
--- /dev/null
+++ b/infra/overlays/upc-dev/passwordpusher/resources/service.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: passwordpusher
+  namespace: passwordpusher
+  labels:
+    app.kubernetes.io/name: passwordpusher
+    app.kubernetes.io/instance: passwordpusher
+    app.kubernetes.io/component: app
+spec:
+  type: ClusterIP
+  ports:
+  - name: http
+    port: 5100
+    targetPort: http
+  selector:
+    app.kubernetes.io/name: passwordpusher
+    app.kubernetes.io/instance: passwordpusher
diff --git a/infra/values/base/passwordpusher-values.yaml b/infra/values/base/passwordpusher-values.yaml
deleted file mode 100644
index f168a30..0000000
--- a/infra/values/base/passwordpusher-values.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-image:
-  repository: docker.io/pglombardo/pwpush
-  tag: "release-1.51.0"
-
-# Disable the bundled postgresql subchart — we run our own StatefulSet
-postgresql:
-  enabled: false
diff --git a/infra/values/upc-dev/passwordpusher-values.yaml b/infra/values/upc-dev/passwordpusher-values.yaml
deleted file mode 100644
index 63c1b2c..0000000
--- a/infra/values/upc-dev/passwordpusher-values.yaml
+++ /dev/null
@@ -1,50 +0,0 @@
-env:
-  PWP__HOST_DOMAIN: pwpush.forteapps.net
-  PWP__HOST_PROTOCOL: https
-  PWP__ENABLE_LOGINS: "true"
-  PWP__ALLOW_ANONYMOUS: "false"
-  PWP__SIGNUPS_ENABLED: "false"
-  PWP__MAIL_RAISE_DELIVERY_ERRORS: "false"
-  PWP__MAIL_SMTP_ADDRESS: smtp.office365.com
-  PWP__MAIL_SMTP_PORT: "587"
-  PWP__MAIL_SMTP_AUTHENTICATION: login
-  PWP__MAIL_SMTP_STARTTLS: "true"
-  PWP__MAIL_SMTP_DOMAIN: fortedigital.com
-  PWP__MAIL_SENDER: noreply@fortedigital.com
-
-envFrom:
-- secretRef:
-    name: passwordpusher-db-creds
-- secretRef:
-    name: passwordpusher-smtp-creds
-
-ingress:
-  enabled: true
-  className: traefik
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    gethomepage.dev/enabled: "true"
-    gethomepage.dev/name: "PasswordPusher"
-    gethomepage.dev/description: "Share passwords securely with expiring links"
-    gethomepage.dev/group: "Security"
-    gethomepage.dev/icon: "passwordpusher"
-    gethomepage.dev/href: "https://pwpush.forteapps.net"
-  hosts:
-  - host: pwpush.forteapps.net
-    paths:
-    - path: /
-      pathType: Prefix
-  tls:
-  - secretName: passwordpusher-tls
-    hosts:
-    - pwpush.forteapps.net
-
-resources:
-  requests:
-    cpu: 100m
-    memory: 256Mi
-  limits:
-    cpu: 500m
-    memory: 512Mi
-
-replicaCount: 1