multi cluster

_app-of-apps-eu.yaml

@@ -20,7 +20,7 @@ spec:
   source:
     repoURL: git@github.com:fortedigital/sturdy-adventure.git
     targetRevision: HEAD
-    path: infra
+    path: infra/overlays/eu
   destination:
     server: https://kubernetes.default.svc
     namespace: default

_app-of-apps-us.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: infrastructure-apps
+    app.kubernetes.io/part-of: platform
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: git@github.com:fortedigital/sturdy-adventure.git
+    targetRevision: HEAD
+    path: infra/overlays/us
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true

apps/base/dot-ai-stack.yaml

@@ -27,29 +27,19 @@ metadata:
 spec:
   project: default
 
-  source:
-    repoURL: ghcr.io/vfarcic/dot-ai-stack/charts
+  sources:
+  - repoURL: ghcr.io/vfarcic/dot-ai-stack/charts
     chart: dot-ai-stack
     targetRevision: "0.56.0"
-
     helm:
       releaseName: dot-ai-stack
-      values: |
-        dot-ai:
-          ingress:
-            enabled: true
-            className: traefik
-            host: kubemcp.forteapps.net
-          webUI:
-            baseUrl: http://kubemcpui.forteapps.net
-        dot-ai-ui:
-          uiAuth:
-            secretRef:
-              name: dot-ai-secrets
-          ingress:
-            enabled: true
-            className: traefik
-            host: kubemcpui.forteapps.net
+      valueFiles:
+      - $values/infra/values/base/dot-ai-stack-values.yaml
+      - $values/infra/values/eu/dot-ai-stack-values.yaml
+
+  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
+    targetRevision: HEAD
+    ref: values
 
   destination:
     server: https://kubernetes.default.svc

apps/base/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- dot-ai-stack.yaml
+- mcp10x.yaml
+- musicman.yaml
+- mcpcoder.yaml
+- argo-mcp.yaml

apps/overlays/eu/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+# No patches needed — base already has "eu" paths
+# EU is the default/base cluster

apps/overlays/us/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# dot-ai-stack: swap eu → us
+- target:
+    kind: Application
+    name: dot-ai-stack
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/us/dot-ai-stack-values.yaml

bootstrap.sh

@@ -2,7 +2,14 @@
 # in case of  $'\r': command not found error, run command below first
 # sed -i 's/\r$//' ./bootstrap.sh
 
-echo "running $0..."
+CLUSTER="${1:?Usage: ./bootstrap.sh <cluster> (eu|us)}"
+
+echo "running $0 for cluster: ${CLUSTER}..."
+
+# Source cluster config
+eval $(yq e 'to_entries | .[] | "export " + .key + "=\"" + .value + "\""' "clusters/${CLUSTER}.yaml")
+
+echo "Bootstrapping cluster: ${clusterName} (${CLUSTER})..."
 
 ############################################################
 # Bootstrap                                                     #
@@ -31,15 +38,15 @@ ArgoCd()
 {
     # install argocd
     echo "Installing ArgoCD..."
-    CLUSTER_NAME="${CLUSTER_NAME:-dev-fd-no-svg1}"
     helm upgrade --install argocd argo-cd \
             --repo https://argoproj.github.io/argo-helm \
             --namespace argocd --create-namespace \
-            --values infra/values/argocd-values.yaml \
-            --set notifications.context.clusterName="$CLUSTER_NAME" \
+            --values infra/values/base/argocd-values.yaml \
+            --values "infra/values/${CLUSTER}/argocd-values.yaml" \
+            --set notifications.context.clusterName="${clusterName}" \
             --timeout 60s --atomic
 
-    kubectl apply -f _app-of-apps.yaml -n argocd
+    kubectl apply -f "_app-of-apps-${CLUSTER}.yaml" -n argocd
 }
 
 Bootstrap

clusters/eu.yaml

@@ -0,0 +1,10 @@
+clusterName: dev-fd-eu-no-svg1
+domain: forteapps.net
+argocdDomain: argocd.127.0.0.1.nip.io
+grafanaDomain: grafana.forteapps.net
+keycloakDomain: id.forteapps.net
+dotaiDomain: kubemcp.forteapps.net
+dotaiUiDomain: kubemcpui.forteapps.net
+letsencryptEmail: danijels@gmail.com
+trustedIPs: "172.16.1.0/24"
+cloudProvider: upcloud

clusters/us.yaml

@@ -0,0 +1,10 @@
+clusterName: dev-fd-us-east1
+domain: us.forteapps.net
+argocdDomain: argocd.us.forteapps.net
+grafanaDomain: grafana.us.forteapps.net
+keycloakDomain: id.us.forteapps.net
+dotaiDomain: kubemcp.us.forteapps.net
+dotaiUiDomain: kubemcpui.us.forteapps.net
+letsencryptEmail: danijels@gmail.com
+trustedIPs: "10.0.0.0/16"
+cloudProvider: tbd

infra/base/enterprise-apps.yaml

@@ -18,7 +18,7 @@ spec:
   source:
     repoURL: git@github.com:fortedigital/sturdy-adventure.git
     targetRevision: HEAD
-    path: apps
+    path: apps/overlays/eu
   destination:
     server: https://kubernetes.default.svc
     namespace: apps

infra/base/fluent-bit.yaml

@@ -21,7 +21,7 @@ spec:
     helm:
       releaseName: fluent-bit
       valueFiles:
-      - $values/infra/values/fluent-bit-values.yaml
+      - $values/infra/values/base/fluent-bit-values.yaml
 
   - repoURL: git@github.com:fortedigital/sturdy-adventure.git
     targetRevision: HEAD

infra/base/grafana.yaml

@@ -21,7 +21,8 @@ spec:
     helm:
       releaseName: grafana
       valueFiles:
-      - $values/infra/values/grafana-values.yaml
+      - $values/infra/values/base/grafana-values.yaml
+      - $values/infra/values/eu/grafana-values.yaml
 
   - repoURL: git@github.com:fortedigital/sturdy-adventure.git
     targetRevision: HEAD

infra/base/keycloak.yaml

@@ -21,7 +21,8 @@ spec:
     helm:
       releaseName: keycloak
       valueFiles:
-      - $values/infra/values/keycloak-values.yaml
+      - $values/infra/values/base/keycloak-values.yaml
+      - $values/infra/values/eu/keycloak-values.yaml
 
   - repoURL: git@github.com:fortedigital/sturdy-adventure.git
     targetRevision: HEAD

infra/base/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- traefik-application.yaml
+- keycloak.yaml
+- grafana.yaml
+- cert-manager-application.yaml
+- kyverno.yaml
+- sealedsecrets.yaml
+- prometheus.yaml
+- loki.yaml
+- fluent-bit.yaml
+- trivy.yaml
+- enterprise-apps.yaml
+- cluster-resources-application.yaml
+- kyverno-policies.yaml
+- secrets.yaml

infra/base/loki.yaml

@@ -21,7 +21,7 @@ spec:
     helm:
       releaseName: loki
       valueFiles:
-      - $values/infra/values/loki-values.yaml
+      - $values/infra/values/base/loki-values.yaml
 
   - repoURL: git@github.com:fortedigital/sturdy-adventure.git
     targetRevision: HEAD

infra/base/prometheus.yaml

@@ -21,7 +21,7 @@ spec:
     helm:
       releaseName: prometheus
       valueFiles:
-      - $values/infra/values/prometheus-values.yaml
+      - $values/infra/values/base/prometheus-values.yaml
 
   - repoURL: git@github.com:fortedigital/sturdy-adventure.git
     targetRevision: HEAD

infra/base/secrets.yaml

@@ -18,7 +18,7 @@ spec:
   project: default
   source:
     repoURL: git@github.com:fortedigital/sturdy-adventure.git
-    path: secrets
+    path: secrets/eu
   destination:
     server: https://kubernetes.default.svc
     namespace: secrets

infra/base/traefik-application.yaml

@@ -0,0 +1,51 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: traefik-system
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: traefik
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  labels:
+    app.kubernetes.io/name: traefik
+    app.kubernetes.io/part-of: platform
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: https://traefik.github.io/charts
+    chart: traefik
+    targetRevision: "28.0.0"
+    helm:
+      releaseName: traefik
+      valueFiles:
+      - $values/infra/values/base/traefik-values.yaml
+      - $values/infra/values/eu/traefik-values.yaml
+
+  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: traefik-system
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true

infra/overlays/eu/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+# No patches needed — base already has "eu" paths
+# EU is the default/base cluster

infra/overlays/us/kustomization.yaml

@@ -0,0 +1,50 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+patches:
+# Traefik: swap eu → us in valueFiles
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/us/traefik-values.yaml
+
+# Keycloak: swap eu → us
+- target:
+    kind: Application
+    name: keycloak
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/us/keycloak-values.yaml
+
+# Grafana: swap eu → us
+- target:
+    kind: Application
+    name: grafana
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/us/grafana-values.yaml
+
+# Secrets: change path to us
+- target:
+    kind: Application
+    name: secrets
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: secrets/us
+
+# Enterprise-apps: point to us overlay
+- target:
+    kind: Application
+    name: enterprise-apps
+  patch: |
+    - op: replace
+      path: /spec/source/path
+      value: apps/overlays/us

infra/traefik-application.yaml

@@ -1,130 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: traefik-system
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: traefik
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-  labels:
-    app.kubernetes.io/name: traefik
-    app.kubernetes.io/part-of: platform
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  source:
-    repoURL: https://traefik.github.io/charts
-    chart: traefik
-    targetRevision: "28.0.0"
-
-    helm:
-      values: |
-        providers:
-          kubernetesIngress:
-            publishedService: # Fixes ArgoCD health checks for LoadBalancer services
-              enabled: true
-        deployment:
-          replicas: 2
-
-        ingressRoute:
-          dashboard:
-            enabled: true
-            # Optional: specify entrypoint
-            entrypoint: traefik
-
-        api:
-          dashboard: true
-          debug: false
-
-        service:
-          type: LoadBalancer
-          annotations:
-            traefik.ingress.kubernetes.io/router.entrypoints: websecure
-            traefik.ingress.kubernetes.io/router.priority: "42"
-            traefik.ingress.kubernetes.io/router.tls: "true"
-            service.beta.kubernetes.io/upcloud-load-balancer-config: |
-              {
-                  "frontends": [
-                      {
-                          "name": "web",
-                          "mode": "tcp"
-                      },
-                      {
-                          "name": "websecure",
-                          "mode": "tcp"
-                      }
-                  ],
-                  "backends": [
-                      {
-                          "name": "web",
-                          "properties": {
-                              "outbound_proxy_protocol": "v2"
-                          }
-                      },
-                      {
-                          "name": "websecure",
-                          "properties": {
-                              "outbound_proxy_protocol": "v2"
-                          }
-                      }
-                  ]
-              }
-
-        ingressClass:
-          enabled: true
-          isDefaultClass: true
-
-        # Configure entry points
-        ports:
-          metrics:
-            expose: 
-              default: true
-            observability:
-              accessLogs: true
-              metrics: true
-              tracing: true
-              traceVerbosity: detailed
-          web:
-            proxyProtocol:
-              trustedIPs: "172.16.1.0/24"
-            forwardedHeaders:
-              trustedIPs: "172.16.1.0/24"
-            http:
-              redirections:
-                entrypoint:
-                  to: websecure
-                  scheme: https
-
-          websecure:
-            proxyProtocol:
-              trustedIPs: "172.16.1.0/24"
-            forwardedHeaders:
-              trustedIPs: "172.16.1.0/24"
-            observability:
-              accessLogs: true
-              metrics: true
-              tracing: true
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: traefik-system
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true

infra/values/base/argocd-values.yaml

@@ -1,5 +1,3 @@
-global:
-  domain: argocd.127.0.0.1.nip.io
 configs:
   secret:
     createSecret: true
@@ -26,10 +24,6 @@ notifications:
   secret:
     create: false
 
-  # Shared context variables available in all templates
-  context:
-    clusterName: "dev-fd-no-svg1"
-
   # Define notification templates
   templates:
     template.app-syncing: |

infra/values/base/dot-ai-stack-values.yaml

@@ -0,0 +1,11 @@
+dot-ai:
+  ingress:
+    enabled: true
+    className: traefik
+dot-ai-ui:
+  uiAuth:
+    secretRef:
+      name: dot-ai-secrets
+  ingress:
+    enabled: true
+    className: traefik

infra/values/base/grafana-values.yaml

@@ -1,7 +1,5 @@
 ingress:
   enabled: true
-  hosts:
-  - grafana.127.0.0.1.nip.io
 resources:
   requests:
     cpu: 100m

infra/values/base/keycloak-values.yaml

@@ -1,5 +1,4 @@
 # Bitnami Keycloak Helm Chart Values
-# Host: id.forteapps.net
 # Chart version: 25.2.0
 
 image:
@@ -15,7 +14,6 @@ auth:
 
 ingress:
   enabled: true
-  hostname: id.forteapps.net
   tls: true
   ingressClassName: traefik
   annotations:

infra/values/base/traefik-values.yaml

@@ -0,0 +1,50 @@
+providers:
+  kubernetesIngress:
+    publishedService: # Fixes ArgoCD health checks for LoadBalancer services
+      enabled: true
+deployment:
+  replicas: 2
+
+ingressRoute:
+  dashboard:
+    enabled: true
+    # Optional: specify entrypoint
+    entrypoint: traefik
+
+api:
+  dashboard: true
+  debug: false
+
+service:
+  type: LoadBalancer
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.priority: "42"
+    traefik.ingress.kubernetes.io/router.tls: "true"
+
+ingressClass:
+  enabled: true
+  isDefaultClass: true
+
+# Configure entry points
+ports:
+  metrics:
+    expose:
+      default: true
+    observability:
+      accessLogs: true
+      metrics: true
+      tracing: true
+      traceVerbosity: detailed
+  web:
+    http:
+      redirections:
+        entrypoint:
+          to: websecure
+          scheme: https
+
+  websecure:
+    observability:
+      accessLogs: true
+      metrics: true
+      tracing: true

infra/values/eu/argocd-values.yaml

@@ -0,0 +1,5 @@
+global:
+  domain: argocd.127.0.0.1.nip.io
+notifications:
+  context:
+    clusterName: "dev-fd-eu-no-svg1"

infra/values/eu/dot-ai-stack-values.yaml

@@ -0,0 +1,8 @@
+dot-ai:
+  ingress:
+    host: kubemcp.forteapps.net
+  webUI:
+    baseUrl: http://kubemcpui.forteapps.net
+dot-ai-ui:
+  ingress:
+    host: kubemcpui.forteapps.net

infra/values/eu/grafana-values.yaml

@@ -0,0 +1,3 @@
+ingress:
+  hosts:
+  - grafana.forteapps.net

infra/values/eu/keycloak-values.yaml

@@ -0,0 +1,2 @@
+ingress:
+  hostname: id.forteapps.net

infra/values/eu/traefik-values.yaml

@@ -0,0 +1,40 @@
+service:
+  annotations:
+    service.beta.kubernetes.io/upcloud-load-balancer-config: |
+      {
+          "frontends": [
+              {
+                  "name": "web",
+                  "mode": "tcp"
+              },
+              {
+                  "name": "websecure",
+                  "mode": "tcp"
+              }
+          ],
+          "backends": [
+              {
+                  "name": "web",
+                  "properties": {
+                      "outbound_proxy_protocol": "v2"
+                  }
+              },
+              {
+                  "name": "websecure",
+                  "properties": {
+                      "outbound_proxy_protocol": "v2"
+                  }
+              }
+          ]
+      }
+ports:
+  web:
+    proxyProtocol:
+      trustedIPs: "172.16.1.0/24"
+    forwardedHeaders:
+      trustedIPs: "172.16.1.0/24"
+  websecure:
+    proxyProtocol:
+      trustedIPs: "172.16.1.0/24"
+    forwardedHeaders:
+      trustedIPs: "172.16.1.0/24"

infra/values/us/argocd-values.yaml

@@ -0,0 +1,5 @@
+global:
+  domain: argocd.us.forteapps.net
+notifications:
+  context:
+    clusterName: "dev-fd-us-east1"

infra/values/us/dot-ai-stack-values.yaml

@@ -0,0 +1,8 @@
+dot-ai:
+  ingress:
+    host: kubemcp.us.forteapps.net
+  webUI:
+    baseUrl: http://kubemcpui.us.forteapps.net
+dot-ai-ui:
+  ingress:
+    host: kubemcpui.us.forteapps.net

infra/values/us/grafana-values.yaml

@@ -0,0 +1,3 @@
+ingress:
+  hosts:
+  - grafana.us.forteapps.net

infra/values/us/keycloak-values.yaml

@@ -0,0 +1,2 @@
+ingress:
+  hostname: id.us.forteapps.net

infra/values/us/traefik-values.yaml

@@ -0,0 +1,13 @@
+service:
+  annotations: {}
+ports:
+  web:
+    proxyProtocol:
+      trustedIPs: "10.0.0.0/16"
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/16"
+  websecure:
+    proxyProtocol:
+      trustedIPs: "10.0.0.0/16"
+    forwardedHeaders:
+      trustedIPs: "10.0.0.0/16"